Slashdot Mirror
SiteKey to Prevent Phishing
Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."
When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.
Keep the password.
Keep the button (which seems like a great idea by the way).
Ditch the three questions.
Falun Dafa is good!
And those three personal questions will be:
What is your credit card number?
What is your credit card's expiration date?
What is your credit card's three-digit CCV number?
Seriously though, I don't care if you require users to use ten pieces of personal information. They'll still choose to use the same information at 90% of the sites they deal with. And there will still be people with access to that information - whether they're administrators and customer service persons or crackers who steal their database full of customer data. The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you.
Thanks, but I'll keep using the ambiguous password. It's easy to find out where a person was born or when or what their maiden name is. It's a lot more difficult to guess that their password is aPh1l@m8.
Besides, I never give those "personal question" fields real information. Then I end up not only having to remember a password for each site, but a fake maiden name, birthplace, favorite team, first pet and so on. Screw that noise.
And if you're dumb enough to think that PayPal really is sending you two dozen queries about the validity of your account per day, you should just give your money away and shoot yourself in the head anyway.
"My" online bank http://www.cahoot.com/ (which is the online arm of the abbey national) has had this type of authentication for ages. everytime I login, I am asked different questions, each login is different and has worked exteremly well. Of course if you are phished you can still be tricked into giving away to the answers to the questions you gave and used during the signup process. Instead of providing your complete password, you give certain characters from the password, for example the 2nd and 6th characters, selected from a drop down box, so keyloggers are effectively rendered useless.
There are always going to be people who are too careless with their information, and there will always be other people who are very willing to take all of your personal information to clean out your bank accounts..
Difficult to tell seeing as TFA is is almost completely content free, but if I was a scammer couldn't I just act as MITM with the SiteKey button to get the 'secret' image containing their magic phrase?
From TFA:
"Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."
So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?
What kind of idiot came up with that idea?
Patriot Act Enhanced Questions
1. Religion?
2. Who you voted last election?
3. Are you a terrorist?
My city: Barcelona.
I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.
In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.
If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.
Simple, yet very effective.
.: Max Romantschuk
With the HTML they'll have to keep churning out, pretty soon phishing is going to seem like a real job.
I just don't think changing the login procedure for the actual site has anything to do with stupid people clicking fake links and entering their info into a phishing site... If I'm missing a piece of this, please, do tell.
Nationwide Building Society in England implement a system that still uses a PIN but each time you login you are asked for three random digits from your PIN.
When it comes to cash, I'm more concerned with security than spending less time logging in. I think asking for randomized data sets at each login is a good move.
While its not the perfect solution (if the machine is compromised it would only take a matter of time before the phisher got the info) having a rotating login is slightly more comforting.
The first, using a "personal question" as a means of making easily guessable passwords more secure is dumb. It is true that people often choose easily guessable passwords. But people *even* more often choose easily guessable "personal questions". "Mothers maiden name" for example. That's how Paris Hiltons adress-book got cracked: She'd used the hugely difficult "personal question" about the name of her dog. It takes only 10 seconds of googling to find the answer to that...
The personally selected secret image on the other hand is a good idea: phishers rely on the fact that they can easily create a fake website that looks like the real one.
If the real one has some element that is unique to you, they won't be able to copy that, simply because they don't know what it is.
This *ain't* the system common in Scandinavia (and other countries) by the way. What we have is generally a one-time "tan" to authorise transactions, provided either as a paper-list where you cancel out those you used, or from a small cryptographic device that generates them using the current time, your account-number and a secret embedded key.
It is, however, just a weaker version of the proposed "security skins", which is an excellent idea to prevent or reduce phishing.
My bank, Skandiabanken does this, sort of, already. (though they underpublizise it). There each user has a private security-certificate used to authenticate the user, in addition to the pin.
This helps in two ways:
First, even if you knew my customer-id and my pin, you still could not log in on my account, you wouldn't have the certificate.
Secondly, it enables the bank to identify me even before I log in, thus giving me a personal greeting not easily copied by phishers: on the login page, before I've entered anything the bank says: "Hello Eivind Kjørstad."
Phishers have no easy way of doing that, they generally don't have a clue which user is sitting behind which ip.
This is not about "phishing" other than the button. Press the button and you verify it is your bank. The questions are to verify users, because users seem to use the same password for hotmail and blogg sites as with banks. I would suspect soon we will all cary a USB key coupled with a password to identify us. As for the button, all they should have is a picture of our selfs when we log in. If it is not there ... hey !!! Bingo, I am in Crusty Bank of Nigeria.
Giorgis
The button might help. But the button on the phishing site might go off to a bot network that pulls a real picture off the main site and there is no way to tell if thats happening from the bank side of things.
There are a few questions I'm not going answer online and I'm guessing most of them will suggested questions.
The last issue is why the high security when its not needed? My credit card balance is public knowledge at least to anyone that can do a credit check which limits it to about 10 million people.
A better system is typical lame password security access for read access to balances and transaction lists but an extra layer when I want to do something like move money to a different account and maybe an extra layer if I want to do something like move money to a foreign country.
from TFA: "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."
BofA: What is your name?
Sir Lancelot: My name is Sir Lancelot of Camelot.
BofA: What is your quest?
Sir Lancelot: To seek the Holy Grail.
BofA: What is your favorite color?
Sir Lancelot: Blue.
BofA: Right, off you go.
It's about time more banks started implementing true security online. In Europe, the majority of banks give a device which gives at least the same level of security as a normal cash machine/ POS transaction.
You put your bank card in the device, enter your PIN, and then enter a number given on the site. Hit OK and put into the site a number returned by the device. The algorithm requires the pin number and specific card to calculate the number, so dictionary attacks are thwarted.
Having these 3 personal questions is of limited effectiveness - until the scammers simply make a phishing site which asks the same questions.
Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication.
- Something you know (your PIN)
- Something you have (card + device)
I guess they're too cheap to do it and rely on fraud insurance to compensate for lost money.
Sparks:Gadget:Beer Maker
The bank site needs to tell *YOU* something secret first.
Me (arriving at site): zooble my gooble?
Bank Site: flooble
Me (ok I trust you)
Instead of the site asking me for a password, I give the bank a challenge word or phrase, and I expect a certain response.
meh
I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.
At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.
From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.
That's all the image is for- verify this is a real BOA website. That is the purpose anyway.
You are then asked to enter your normal password and are directed to your account information.
Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.
When you answer the question, you are displayed the sitekey for verification and login as normal.
Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.
Brilliant comment, not.
The image/phrase shown is supposed to be a secret one that the customer chose beforehand (i.e. when setting up their account).
So, when I go to my bank site and click the button (presumably after logging in so they know who I am), if I don't see the cute little picture of my son and the phrase "you're cool", then I know it's a fraud.
It's not just a standard image/phrase... it's customized and unique.
RTFA, or even TFComments.
MadCow.
I used to have a sig, but I set it free and it never came back.
The National Australia Bank launched SMS authentication earlier this year.
Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.
It's free too.
It's highly unlikely someon has both stolen your mobile phone AND phished your details.
- Hello, this is the Visa card center calling. A I talking with mr. John Doe?
- Yes, that's me. What's the matter?
- We'd like to confirm. Are you trying to make a big purchase in a shop in New York?
- No! I'm in Washington, DC! Oh my god! My wallet is missing! My card has been stolen!
- Would you like to cancel the transaction and block your credit card?
- Yes, please! Right now!
- In order to do so, we need to confirm that you are indeed John Doe, the owner of the card and not that mr Doe's phone has been stolen.
- Please! How do we do it?
- Please give me the number of the credit card in question.
- I don't remember!
- Expiration date?
- Next year, july or june, or maybe august...
- sorry, I can't take that for an answer. Any other info? Maybe the account number associated with the card? Or maybe the PIN number?
- The PIN is 8352
- Thanks, sucker!
Anagram("United States of America") == "Dine out, taste a Mac, fries"
speaking as someone who's SO has just lost 4,000 UKP through a compromised work PC via a keylogger and natwest online banking, you're not as safe as you think you are.
the latest PW_Glieder trojans will keylog and report back over a period of time: if you access your online banking a few times and are asked for characters X and Y from your password, chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
this is very common indeed: current SOP is for them to move your money to another account at the same bank to which they've already stolen a matching debit card. move cash, then confederate will go into a branch and withdraw the money in cash and vanish...
... to digitally sign the web page, and give a key fingerprint on paper to the customers (so they can check they are really installing the correct public key and not a fake). Signing the page would not only ensure that the page comes truly from the bank, but also that there's no malicious change in it (as might be done through a man-in-the-middle attack, e.g. to send the data to another than the bank's server).
Does HTTP support signed web pages (as opposed to just encrypted transmission)?
Note that the authenticity verification would not depend on some third-party certificate (where you have to trust some certification agency possibly unknown to you), but on a paper sent to you on paper by the bank itself. Thus you have only to trust your bank (if you don't trust that, you'd better change it anyway), and fraud would need to intercept both the bank web site and the postal delivery. Which I think will be beyond the ability of the typical phisher.
The Tao of math: The numbers you can count are not the real numbers.
Maybe
See, I thought so.
You pick your "sitekey" image from their website?
Presumably they only have a limited number of images. The phisher can display one of the possible sitekey images at random. They will only catch at most 1/N victims, but they will have a better chance of catching the 1/N that they do match because that person will have seen the right sitekey.
Phishers (or whatever you want to call them) don't want your credit card number so that they can long into your card issuer's site as you. They want it so that they can buy stuff using the card. Your site can ask for your fingerprints, a sample of your DNA, and a photograph of your bathroom, and it won't help a bit with the phishing problem as long as vendors, the people who accept credit cards in exchange for merchandise, are willing to make do with the kind of information phishers can get most easily.
Received: from ebay.com (84-22-184-100.iomart.com [84.22.184.100]
It already tells me it's not from Ebay but let's pretend we just have the IP address to work to only. A quick reverse DNS check:
aragorn ~ # hostx 84.22.184.100
Name: niciis1.iomart.com
Address: 84.22.184.100
The above was done on a Linux box but a Windows user with Outlook can just bring up the email, select View/Options and look at the last "Received:" line in the email. Pull the IP address out of that line and use "nslookup" in place of "hostx" above in the CMD prompt.
Yes, this one's definitely not from Ebay but from someone on the iomart.com domain. Email is fake, phishing scam failed. Just do the same test with any suspect email and see if the domain name is what you expect it should be. It's that simple!
It's nothing flash and helluva lot of people on Slashdot already know how to do this, be they Linux, Windows, Other OS users.
In fact, an automated script on my mail server already did this for me and SpamAssassin had already captured this as a Spam email.
So to the less experienced people out there, this is just a quick demonstration to show you how easy it is to detect a phished email. All it needs is a little investigation and a little knowledge...
So let's hear no more about phishing because we are now all responsible enough to do it ourselves.
Move along, nothing more to see here.
Gentoo Linux - another day, another USE flag.
This is absolute nonsense. I can't tell you how many websites I've stopped doing business with because of their insane registration and logon requirements. This will just make that worse.
Tell them they can check its the correct site by clicking on a button that shows them a picture they chose is a lot easier
So while Wachovia spent the last year or so moving AWAY from using a SSN to login to their site, Bank of America recently switched TO using SSNs. You'd think banks would have some sort of consensus on what sort of system to adopt, but obviously not. Oh, then there's ING Direct who, for some reason unbeknownst to me decides to not use usernames, not use SSN numbers, but use arbitrarily assigned "customer numbers" to login. When I sent them a long letter on why they should use something easy to remember to login, they never gave me a reply. So, people end up writing down their customer number or, in my case, calling up ING almost everytime I want to login to my account. Just give me a SecureID or Safeword password token and the problem is simply solved. I'll even pay for it!
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
I use Bank of America in Maryland, one of the test areas for SiteKey. As of now, the three challenge questions aren't used, although they did ask me to give them 3 challenge/response pairs. What Sitekey does do is after you sign in traditionally (Firefox stores this for me already, so I just click on 'Log in using Sitekey'), and then it shows you an image and phrase of your choosing. The important thing is that the image is stored (and encrypted) on BoA's server. So a phisher wouldn't have access to it, and would have to guess what your image is. It's the same tech discussed previously on Slashdot.
"We have recieved a request to transfer $x to account number Y in Nigeria. If you did not request this please click here to connect to our fraud prevention dept., and confirm your account details and passwords..."
my password really is 'stinkypants'
Sitekey is a pseudo-two-factor authentication system (pseudo because both factors of authentication are provided within the framework of the same bug-ridden PC). It absolutely does not resolve the phishing problem for Bank of America customers. It is also vulnerable to a trivial man in the middle attack.
Here's why it doesn't solve phishing: Phishers have and will continue to phish BoA customers for their personal information such as their Social Security Numbers, bank account numbers, mother's maiden name, etc.. by crafting email messages that appear to come from BoA.
The man in the middle attack works as follows:
1. Create a phishing web site.
2. Ask the user for their username in exactly the same way as the BoA site does with SiteKey.
3. When you have their username, contact the BoA site and download the list of authenticity questions the site wants to ask the end user.
4. Ask these questions of the phished user.
5. Pass the answers on to the real BoA site.
6. Voila. Not only do you now have access to the BoA site, you have successfully obtained further private information of the end user, such as the user's mother's maiden name.
I wrote about SiteKey on my blog, which for whatever reason is now viewed by Google as one of the leading authorities on SiteKey: http://mailchannels.blogspot.com./ Enjoy!
Why do we keep trying to invent new (and fairly interruptive) methods of proving the identity of web-site when we have a perfect, yet sadly under-leveraged, method for this already available: SSL.
The certificate system underlying SSL is already largely in-place, particularly for trusted/confidential sites, and it provides relatively assured proof of identity. The problem is that there's no way we can expect users to click on the little lock icon, and examine or understand certification paths, issuers, subjectAltNames, etc.
Why don't browsers simply make this more plain and prominent? Why not just interpret this information and present it clearly to the user? Just an integrated toolbar that says in plain english/french/german/japanese/etc. "You and your browser know and trust the certifying authority of Verisign, and according to Verisign, this site [your bank name here] is who they claim to be. Chances are you're safe."
And if something is off, instead of a pop-up box with three relatively cryptic security alerts to which everyone has been trained to say "yes" regardless of understanding, try simply "The identity of this site cannot be confirmed. Click for details, proceed with caution." Different discrepancies can provide commensurate levels of warning to try to avoid cry-wolf syndrome.
This, combined with existing (and also underutilized) techniques to mitigate URL obfuscation won't be perfect, but they will go a long way, and it only requires a little effort from the browser folk.