SiteKey to Prevent Phishing

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

I don't have time for that junk

[A+Dafa+Disciple]

When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.

Keep the password.
Keep the button (which seems like a great idea by the way).
Ditch the three questions.

Re:I don't have time for that junk

[LiquidCoooled]

(dunno why your marked as troll, but anyway)

Phishing sites will include a big button as well
clicking it will say:
Of course your on the real bank website

it does no good - i prefer the way my bank currently does it - I told them (in person when setting this up) a pass code, when logging in, they ask me for random sections of it (ie 1st, third and last digits).

The scammers must manage to fool me multiple times to gain complete access to my account details.

Re:I don't have time for that junk

[iamdrscience]

Phishing sites will include a big button as well clicking it will say: Of course your on the real bank website

RTFA. Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.

Re:I don't have time for that junk

[DingerX]

Nonsense. "We're sorry. Our personal image and passphrase server is offline for routine maintenance. Please continue about your transaction."

Re:I don't have time for that junk

[jesup]

As another poster pointed out, the Phisher can (instead of capturing your password) just initiate a MITM attack - create a spoof website that takes your info, passes it to the bank, and shows you what the bank sends you. Unless the bank overlays the apparent IP address (and the user knows if it's correct) of the source, this will work. More hassle, but lets them get all your info, then pass you off to finish your transaction, then they log in to strip your account.

There is a way to deal with this problem too, but I can't go into it at present. (Sorry)

Re:I don't have time for that junk

[CaymanIslandCarpedie]

I think the point the parent is making is if the bank gives you the image based on username/password, then it is quite possible to get around this.

1) You enter your username/password on the phishing site.
2) The phishing site then uses this username/password to retrieve the image from the bank site
3) You verify image ......

So when he is talking about botnet, he is talking about logging on to the bank site as you using the username/password you just gave them and then showing you the image returned from the bank site.

One more little hurdle for them to overcome which is good, but certainly not fullproof.

Useless.

[Seumas]

And those three personal questions will be:

What is your credit card number?

What is your credit card's expiration date?

What is your credit card's three-digit CCV number?

Seriously though, I don't care if you require users to use ten pieces of personal information. They'll still choose to use the same information at 90% of the sites they deal with. And there will still be people with access to that information - whether they're administrators and customer service persons or crackers who steal their database full of customer data. The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you.

Thanks, but I'll keep using the ambiguous password. It's easy to find out where a person was born or when or what their maiden name is. It's a lot more difficult to guess that their password is aPh1l@m8.

Besides, I never give those "personal question" fields real information. Then I end up not only having to remember a password for each site, but a fake maiden name, birthplace, favorite team, first pet and so on. Screw that noise.

And if you're dumb enough to think that PayPal really is sending you two dozen queries about the validity of your account per day, you should just give your money away and shoot yourself in the head anyway.

Re:Useless.

[IDontAgreeWithYou]

What is your name?
What is your quest?
What is your favorite color?

Re:Useless.

[blatantdog]

I have a BoA account with SiteKey and here is how it works:

- Three questions are one time only and are NOT credit card or account related
- You also choose a tacky photo
- Once the questions are set then it will ask you only one time from the machine you are at to answer one of the three questions
- Once you have answered you are presented with the tacky photo and a request for your password
- You have to reauthenitcate at each machine you are at and let BoA know if you want that machine added to the list of "safe" machines, meaning you don't have to answer the question again and are presented with only the photo and request for password.

whew!

UK has had this kinda of tech for ages

[MikeDX]

"My" online bank http://www.cahoot.com/ (which is the online arm of the abbey national) has had this type of authentication for ages. everytime I login, I am asked different questions, each login is different and has worked exteremly well. Of course if you are phished you can still be tricked into giving away to the answers to the questions you gave and used during the signup process. Instead of providing your complete password, you give certain characters from the password, for example the 2nd and 6th characters, selected from a drop down box, so keyloggers are effectively rendered useless.

There are always going to be people who are too careless with their information, and there will always be other people who are very willing to take all of your personal information to clean out your bank accounts..

3 PERSONAL Questions

[Uukrul]

Patriot Act Enhanced Questions

1. Religion?
2. Who you voted last election?
3. Are you a terrorist?

Simpler solution: password cards

[Max+Romantschuk]

I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.

In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.

If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.

Simple, yet very effective.

Re:Simpler solution: password cards

[riflemann]

This is of limited effectiveness. It works for while, but has been cracked.

A few months ago, a well known Dutch bank (Postbank) was targetted, with scammers directing people to a phishing site. This site asked for their username, password, and the next 3 of these codes (many people mark the ones they've used).

Many people were duped, proving that it's not that good for security.

Far better is the card/token type system (see my comment for details).

Obligatory

[value_added]

BofA: What is your name?
Sir Lancelot: My name is Sir Lancelot of Camelot.
BofA: What is your quest?
Sir Lancelot: To seek the Holy Grail.
BofA: What is your favorite color?
Sir Lancelot: Blue.
BofA: Right, off you go.

Not very effective..

[riflemann]

It's about time more banks started implementing true security online. In Europe, the majority of banks give a device which gives at least the same level of security as a normal cash machine/ POS transaction.

You put your bank card in the device, enter your PIN, and then enter a number given on the site. Hit OK and put into the site a number returned by the device. The algorithm requires the pin number and specific card to calculate the number, so dictionary attacks are thwarted.

Having these 3 personal questions is of limited effectiveness - until the scammers simply make a phishing site which asks the same questions.

Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication.

- Something you know (your PIN)
- Something you have (card + device)

I guess they're too cheap to do it and rely on fraud insurance to compensate for lost money.

How this actually works...

I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.

At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.

From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.

That's all the image is for- verify this is a real BOA website. That is the purpose anyway.

You are then asked to enter your normal password and are directed to your account information.

Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.

When you answer the question, you are displayed the sitekey for verification and login as normal.

Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.

Re:How will SiteKey stop phishing?

[iamdrscience]

From TFA: "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."

So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?

What kind of idiot came up with that idea?

The idea works with two levels of verification. For instance, you might have to enter a username and password and then be allowed to see your secret image, then after that, you enter another username and password. This way, nobody can see your picture unless they already have your username and password, and if you get phished for those, you know it because the picture isn't right, but they don't have your second username and password required to actually access your account. I suspect that this system will work similar to that, but instead of a second username and password, you enter the answers to your personal questions.

Still though, it seems like a potential flaw would be that you have to click on something to verify you're on the banks site. Why not just show you your picture by default? It seems like a lot of people just wouldn't bother verifying the site and they would get phished the same as they would be now.

SMS authentication is already being used!

[clef]

The National Australia Bank launched SMS authentication earlier this year.

Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.

It's free too.

It's highly unlikely someon has both stolen your mobile phone AND phished your details.

Hello, this is the Visa card center calling.

[Vo0k]

- Hello, this is the Visa card center calling. A I talking with mr. John Doe?
- Yes, that's me. What's the matter?
- We'd like to confirm. Are you trying to make a big purchase in a shop in New York?
- No! I'm in Washington, DC! Oh my god! My wallet is missing! My card has been stolen!
- Would you like to cancel the transaction and block your credit card?
- Yes, please! Right now!
- In order to do so, we need to confirm that you are indeed John Doe, the owner of the card and not that mr Doe's phone has been stolen.
- Please! How do we do it?
- Please give me the number of the credit card in question.
- I don't remember!
- Expiration date?
- Next year, july or june, or maybe august...
- sorry, I can't take that for an answer. Any other info? Maybe the account number associated with the card? Or maybe the PIN number?
- The PIN is 8352
- Thanks, sucker!

keyloggers aren't useless

[RMH101]

speaking as someone who's SO has just lost 4,000 UKP through a compromised work PC via a keylogger and natwest online banking, you're not as safe as you think you are.
the latest PW_Glieder trojans will keylog and report back over a period of time: if you access your online banking a few times and are asked for characters X and Y from your password, chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
this is very common indeed: current SOP is for them to move your money to another account at the same bank to which they've already stolen a matching debit card. move cash, then confederate will go into a branch and withdraw the money in cash and vanish...

"even by email to alert a user that it's happened"

[weierstrass]

"We have recieved a request to transfer $x to account number Y in Nigeria. If you did not request this please click here to connect to our fraud prevention dept., and confirm your account details and passwords..."