Slashdot Mirror
Study Finds Bank of America SiteKey is Flawed
An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords.
The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images.
Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."
Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.
If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.
Enhanced security measures thwarted by stupid users. More at 11!
It seems like most security systems based on users not being idiots are doomed to fail. Phishing attacks work because people don't follow normal security procedures, making the authentication process longer/more involved for the user seems to be an inherently flawed idea because it trusts the user to know what is best for him/her.
The SiteKey isn't flawed, the people are.
Just that the users are flawed, and need to be better educated. I think it is an excellent tool, and I make damn sure that I verify my sitekey before I enter my password. No matter how clever your schemes are, if the users are too clueless or apathetic to make use of them, they will be ineffective.
This just in... users are clueless. Film at 11.
1. go to an unusual place,
2. sign an agreement form,
3. follow instructions that say: "Log into your account"
4. you're aware that people are watching you and will analyze what you did
whatever results they get do not prove anything other than:
People placed in a unfamiliar, controlled environment with Harvard scientists ogling at them will not check the security image.
h
This from a site that uses SSN for a login is completely shocking! Shocking I tell you!
Users are Lusers!
You can lead a horse to water but you can't make them pay attention to security concerns...
The BofA login is helpful to me, I fully expect to see my login token when I login to my account and would not login if I didn't see it. Some people won't pay attention and there isn't ANYTHING that BofA could do to prevent that (that isn't outrageously inconvinient for me.)
The premise of the study being people enter the passwords even if they do not see the image is dumb. That's like saying I buy top of the line RSA encryption but provide other my key or i buy a safe and do not lock it. If people are stupid enough to enter passwords on public terminals without even using the most primitive security systems they deserved to be robbed. The BOA system is primitive but depends on people using some common sense. Having said that, I am not big fan on captcha like security systems, install a trojan monitor the images for a month, ship it back to mother ship and lo behold you have a phishing site personalized just for you.
> The banks often drop a small software program, called a cookie, onto a user's PC to associate the computer with the customer. Since when are cookies software programs? I wish the media would stop perpetuating misinformation about cookies.
It's to protect Bank of America from liability. If someone's account integrity is compromised due to phishing, the bank's ass is covered - they implemented a two-way authentication, the user just chose to ignore it (after indicating they read and understood the terms and function of the SiteKey)
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
So they brought 60 people into a room, told them to use their bank account, and then got surprised when they actually did?
I am going to bring 60 people into a room, present food to them and tell them to try it, and then publish a study about how they failed to notice the lack of a Health Department certificate in my building. Then I'm going to write into Slashdot about it.
In my mind, there is a better way to conduct a study about banking security than to bring in 60 people and instruct them that the entire purpose of their visit is to log in to their bank account when they sit down.
But I, for one, welcome our SiteKey overlords.
Isn't this the same as what Yahoo's Personalized Sign-In Seal uses?
Considering how many "fake" Yahoo sign-in sites I've seen, I've always wondered if people actually used this "feature".
Now, go forth and design systems that work, instead of blaming your design failure on the user.
www.jmagar.com
-
Couldn't a phisher just set up a proxy to the Bank of America site? Then they could provide the proper identification image, and still steal their log in information from them.
Let me get this straight...
They grabbed a bunch of BofA customers and convinced them to do routine banking functions using their bank accounts IN FRONT OF STRANGERS and you really expect them to be concerned about security? They already gave up any chance at being secured when they agreed to participate.
This is like asking if you can study someones ATM usage by looking over their shoulder and then telling them they failed because you now know their PIN number.
First of all, the behavior people display during a study would be highly skewed from normal day to day behavior. To really make a determination of this, something less deliberate would need to be done. Most people in this study would go ahead just for the purpose of being agreeable. I know I would be hesistant to screw over a Harvard study if I was participating in it. On another note, I have many times wondered what would prevent a phishing site from asking bank of america for the site key based upon the entered SSN. How can bank of america know the phishing site from the user?
The error message also had a conspicuous spelling mistake, further suggesting something fishy,.
I'm beginning to wonder if this article actually appears on the NYTimes website...
This guy's the limit!
I can say sitekey is the most useless piece of junk meant to make my life harder. It's one of those pieces of security that sound good to PHB's but is retarded in practice. Other banking notables? Linking your ip address to your bank account and activex controls that won't let you in until it's verified you have antivirus software installed. Get with the program guys. Half baked schemes to make online banking "safer" rarely do so and in many cases make it less safe.
Give me an online banking system with a good old fashioned username and password and I'm set.
If an officer ever threatens to taze you, say you have a pacemaker.
when will these 'researches' be arrested for pointing out flaws in a security system.
Agreed that the problem with this study was the users and the setting, not that part of BofA's system, but the system certainly seems flawed in another fundamental way. I'm surprised the study didn't primarily focus on that.
All a site has to do is fetch your "sitekey" and present it to you no? And it makes phishing attacks even more legitimate seeming.
Specifically:
1. Users gets lured into phising attack goes to fake BofA site
2. User enter username
3. Phishing site takes username, enters it in real BofA site, gets SiteKey
4. Phising site presents SiteKey to faked out user and collects password... done...
Seems very lame. Sure, there are IP address issues for the phishers but they could spread out the load using a farm of IPs.
Anyway, this study make me think that you combine a basic, (very basic) bit of security into a site and people suddenly think it's foolproof. I think the banks are just going to have to consider using two-factor auth a little more .
My banking site only asks a password and part of a second password (e.g. the 5th 3rd and 7th letters) that way if a fisher grabs part of the password and can't use it to login on the real site as it will probably ask for a different combination of letters.
thank God the internet isn't a human right.
There was a lady in our office (long time ago) who was excited about everything all the time. When our network admin gave her a new password, she was so excited, that she cried it out loud in front of everybody. Well, admin was really upset and told her everything he was thinking about her. Then she told him with an innocent expression: "Why can not you teach me this security practices?" He replied: "I can not teach you how to eat, mate or live." So related to Bank of America customers, if they do not care about the security - it is their fault. If they start crying their passwords out loud - it is their fault. It is a common sense, like eating, avoiding poisons, not hurting yourself. You can not teach the grown-up how to do those things. It is their sole responsibility, and not a fault of the Bank.
This coming from a bank who's website frequently goes down and when clicking links within my accounts page will suddenly (and randomly) tell its users how they have "successfully logged out" without a link to the main page to re-login and continue. And lets not forget the determination to automagically remove bank statements after six months and yet at the same time keeps pestering its users to cancel their paper copies. I would have to say that Bank Of America is the perfect example of how not to run a banking website. Every time I call their tech support I am costing THEM money.
Do you changes clothes while making the "chee-chee-cha-cha-choh" transformation sound?
Basically, this method of security fails when people don't care about their security. This is a problem?
Security requires active checking to make sure a security measure is in effect. If you don't check to see if your padlock was secured, it's not the lock maker's fault if someone unhooked the unlocked padlocked and stole your stuff.
Actually this is worse. The lock maker damn well isn't at fault IF YOU DIDN'T CHECK THAT IT WAS YOUR PADLOCK.
A much better idea that would foil keyloggers is to present a user with a matrix of 3x3 or 4x4 pictures of animals and have users choose a password of three animals where they always click on the same animals in the same order. With random presentation of the animals it would make it impossible for anything other than video capture to steal all the information necessary to get into my account.
This crud where they ask you for the last four digits of your SS# in addition to your password does little to prevent a keystroke logger from recording that response as well and leaving me wide open to criminal use of my account.
Even if a phishing site displayed only one of the actual available images, they would net victims using that image. It only takes one in a million to make the scam worthwhile.
Bank of America's system also has you provide a caption when you choose a picture. The caption is much better security than the limited set of images.
Always someone has power over you. The thing to consider is this: Is the power good, or bad?
When B of A switched to site key, my online account broke. It hasn't worked since, despite 15+ calls to tech support. Usually they say they will call back when they fix it and never do. It's only half bad. Since it is broke, I suspect it is very secure and nobody else can access it, either.
Discussion and links to papers here:
e y-cant-save-you.html
http://bbaadd.com/blog/2006/08/security-why-sitek
This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.
Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.
If someone doesn't bother to learn how to drive a car, and drives it off a cliff because they didn't know where the brake was, guess what? It's the person's fault, not the car's. These banks have built in a security feature, and if people don't actually read and learn to use it, it is their fault.
My BoA sitekey is "sitekeyisdumb", because it really is. I hate it. I chose a picture of two people hanging from a parachute. I like to picture them stuck hanging somewhere, similar to how I feel when going through the sitekey process, dumb and stuck. Sometimes I'll fail my own sitekey security questions when it doesn't recognize my IP address. Now that you have all that additional "secure" security info from me, try hacking my account. Good luck. It's totally useless.
If I setup a "lemonade-stand" labeled "B of A Deposits" in my neighborhood and tell people they can make deposits with me instead of going to the bank, should the bank be held responsible if some people actually do it? At some point, people have to take responsibility.
No online banking security measure that is put in place is ever going to stop stupidity. This is the type of thinking that keeps people voting for Democrats. Too many people don't want the responsibility of taking care of themselves. They want someone else to do it so they can blame someone else when it goes awry:
Can't get a job? Here's some unemployment!
Don't want to pay up for health insurance? Here's some for free!
Don't want to save for retirement? Here's some social security!
Unmarried and have 4 kids with 4 different fathers? Spent all your money on Dolce&Gabana and plasma TV's? Here's some food stamps to feed your kids!
Instead of choosing an icon from a list, perhaps the user is required to upload a picture and a description of it. Anything would do: a person, animal, car, etc. The uploaded picture would become a very prominent part of the site during the login process. Instead of choosing an image from a list of possibilities, the site would be structured in such a way that the lack of user-provided photo is painfully obvious. Even the site's foreground/background color schme would be determined by the color content of the picture.
any suggestions? how do you ensure users only login to your site, and not one designed to look like yours? This design was created not to help the bank compute its interest for all of its accounts faster, but to try and help users make better judgments.
My idea? I think they should give up on HTML web based UI's. People click on links from any sort of untrusted source and then login. If you had greater control, but making all of the interactions take place through a separate application outside of the browser you would have more control and protection for your users. No web interface at all. Two phase authentication required. Use public, private key combos. it would be less convenient as you couldn't do banking from your neighbor's computer or what not, but you really shouldn't be doing online banking on untrusted computers anyways.
The problem is that it wasn't introduced well.
If someone is already familiar with the concept, then it makes sense. However, for most people, the explanation was an annoyance and a confusion one time when they logged in, and the rest of the time it's just an extra click before they can enter their password.
I have two banks that use that scheme for authentication. On both of them, one day they just popped up a picture and said, "what is this picture?" So you make a guess as to what is shown in the picture, and hope you guessed right.
On subsequent logins, they fill in your guess for you, so it seems ridiculous that they are asking what that picture every time.
Since the explanation was lost on most users, it's not surprising that they don't care that it's different.
Infact...if you just make a site that popped up a random picture and asked them to name it, I'd expect everyone would fall for it.
This isn't about customers being lazy or stupid, (well not always.) It's about the SiteKey deployment being inadequate and there being insufficient explanation for something that customers have never heard of before.
--Welcome to the Realm of the Hawke--
..the system itself is not flawed, but the way the users choose to operate on it Enhanced security measures thwarted by stupid users. More at 11! The SiteKey isn't flawed, the people are. It's a common error to ascribe problems with usability to 'idiot users'. The real problem is software that's designed for the wrong target group (experts, where it should be everyman) or just badly designed, confusing or poorly explained interfaces. The fact is, this system *has* to be designed to cope with clueless users. If it's only safe for use by people with an IQ over 100, then half the population will be at risk!Why are so many people acting like the users are stupid here?
I have an ING Direct account, and use it once a month for bills - that's it. Forgive me if I can't remember that two months ago some website showed me a picture of a duck and the phrase "three penny milk".
My bank started doing this. They way I was introduced to it is when I logged in they asked me to select a picture and then pick a label for it. There was no explanation whatsoever.
Now, like most Slashdot readers, I'm a tech guy, but I didn't know what they were trying to do. My GUESS was that they were going to have me enter in the caption each time I logged in as a sort of separate password. It wasn't until I read some news article about it much later that I understood what the point of it was. I can't imagine your average user would have any idea either.
But, lack of explanation aside, the 'solution' is technically useless as well. So when I go to log in you display a picture and I have to not enter my password if my picture doesn't show up. but *ANYONE* trying to log in gets to see that picture. So all you've done is add a little work for the phishing site - when they're pretending to be the bank, they just have to go to BoA's site and start your login process and Bank of America will kindly display the picture that the phishing site needs to show you to make you think the phishing site is legitimate. If anything, this makes the phishing site look *MORE* legitimate. "Well, this site looks fishy, but it's got my photo, so there must not be a problem."
Yahoo has a better system - they show you a captcha you've picked, and they explain what it is, AND they only show it to you if you're logging in from a computer you've registered to see the captcha. Doesn't help you when you're not at your home computer, but works for most people most of the time and is thus an improvement without any drawbacks.
paintball
The few that did participate where either excessively trusting or clueless, making them more likely to not worry about the missing image either.
In a word, they used a biased sample.
..Though not BoA, has implemented basically the same damned thing. You pick an image, and if you don't see/it isn't your image when you go to log in, you don't log in.
My mother understood this without issue. My mother is a person who called me several times asking about a 'blinking light' on the front of her computer. The hard drive activity light.
Flawed? Emperor's new snide remark?
No security system will ever be idiot proof. If people are logging in despite not seeing the image they selected, the problem exists between the chair and keyboard.
If users don't know how to properly use the security features provided to them, is that a system failure or a user failure? That's like blaming Linksys for someone hijacking your router because you didn't change the default router password nor did you setup any form of encryption on your 802.11.
This reminds me of a training day for my workstudy job where one of the higher ups in the IT department talked about a survey done where they offered people a cookie for their password. At least 50% of the people in that study were willing to give up their password for a cookie.
Insert Sig Here
The reason I find this interesting is that frequently we throw around statistics from web-site access, and people will complain "well you can't use stats from site X because that site will inherently have more [geeky/non-geeky] users and hence skew the results" (a valid complaint, of course). The above statistics are (reportedly) a random sampling of Bank of America customers with online account (no selection based on computer expertise, etc.).
The above stats suggest that Firefox usage may be even higher than previously suspected. Obviously this sampling of 67 people is not exhaustive and may not be generalizable, but I was quite surprised when I saw those numbers.
The site key is not a bad idea for those users who actually use it, but yes most people aren't paying attention. But I think it really ignores the more obvious solution. This is to frequently remind users to NEVER CLICK A LINK THROUGH E-MAIL. Type the website into your browser every time and you will never have this problem. I would put this scam in the same category as phone fraud phishing; most people know that you're not supposed to give your SSN or Bank Numbers when somebody calls you. This should raise suspicion immediately. I think the same approach for the internet is the best that we can hope for. Educate, educate, educate.
I remember when this idea was brought up as another step in the login and authenication protection when users login. It was mainly an attempt to keep automated data harvesters from collecting infromation from thousands of users at one time (collecting data from a large list of stolen user infromation) as well as protecting users from having their username and password sniffed over a network. If the user had their user/pass stolen the theif would still need to know what image they had pre-selected.
TruePunk | Games
While I don't have anything against their methodology, I think the results from both role playing groups are completely meaningless. Why would you be concerned with protecting a username and password that obviously is fake since it was given to you by the testers? I always check things like HTTPS indicators, but I wouldn't have hesitated for a second to enter somebody else's username/password during a study.
The attitude of so many of these posts is unbelievable.
"It's s great system, but users are just too stupid to understand it hurrrrrr!"
Sorry about that.
This is exactly what I experience with sitekey. Besides when they implemented it they made several other security blunders. First the login page where you enter your user name does not have security certificate and is not encrypted. There is no real way for the user to verify that this is authentic BofA website. You can find an SSL encripted login page with proper certifcate but you have to folow links through two other pages to get there. Second they ask you for the user name first (because of Sitekey) and not fo user name/password combination. If you enter a wrong user name they tell you about that!!! Any scrpt kiddie can now start colecting BofA logins and they don't even need to phish for them. It also leaves by default a http cookie (which is easy to get rid of) and a flash cookie (which most users don't even now exists).
Is what would it take for someone to write a script to hit the site with a bajillion fake SSN logins (9-digit #s) and then capture the image and text for each success?
I'm sure someone's already done it.
By the way, I *do* make sure it's my passcode and image that pop up. I made them entertaining enough and relevant to myself.
Then-again, I've written a few login pages for companies, so it's my business to keep track of this stuff.
The other two read the image and actually posted anonymous coward comments with passwords to /.!
If you're brought into a "study" (in a "controlled environment") and asked to "conduct routine online banking activities" wouldn't you have a resonable expectation of security?
I mean where do you think they got these 67 BofA customers? They probably asked at a branch. They the folks know that this whole thing is at least done with the blessing of BofA.
Plus, I can't imagine the study administrators said things like, "and be sure to mind all the normal security practices" for fear that might bias the group.
This "study" sounds flawed.
Why don't you morons learn English?
I am currently doing contract work at a financial institution where we are evaluating several security measures from different vendors in order to comply with the FFEIC guidelines. One feature we are considering is a passmark.
At first the passmark seemed like a great idea until I tried to remember which of the borkerage accounts I had recently required me to set one up. At that poit I realized how virtually useless it really was, because if I couldn't remember if it was Fidelity or Vanguard (it was Vanguard) then how would I know if the image was missing?
I couldn't argue at work, based on anecdotal evidence with a population of one, that the approach was flawed. Now I am happy to see that research by respected intitutions is being done to prove (or disprove) popular trends as being viable (or worthless).
My user name was a mistake. Input wasn't restricted, my bad.
I'm a more tech savvy user, but even I get very annoyed by the layers I have to go through:
What's to stop a phisher from pretending to be your bank, claiming that said bank is installing a new "security feature", and the person enters all their account information? I think it would be an interesting study to see how many people would probably enter their info blindly while thinking that they are actually protecting themselves.
So when are we going to get an independent "call back" from the secure site where an RSA key is validated, to tell you that both parties are validated, possibly using an iris scan for the end user/customer?
This just in, "People are stupid." Film at 11.
It must have been something you assimilated. . . .
Better yet, why can't a phishing site just do a man in the middle and forward user input to the real BofA server and come back with the image BofA returns??
If you try to login in from a new computer another screen asks you a question, like name of your first pet, to prevent this from happening. I am also sure they will block the IP after 10-20 attempts anyways.
Half of writing history is hiding the truth.
I you go to http://www.bankofamerica.com/creditcards/ pages and click "View all cards", click one of the cards, click "Apply now", click "Sign in".
It then gives you a page asking for your passcode without bothering with the site key junk.
So not only do the customers not pay any attention to it, the bank itself doesn't bother with it either.
Seems to me the phishing site could also use a string of random proxies as well as ask the user their pet's name...
I can't tell one image from another after a while.
I have accounts at several of those "pick-a-picture" type places and not a single one of them offers memorable porn images with which to motivate your security instincts!
Just once, I'd like to make phishers look at goatse man for a long time, before they even get a chance to rip some one off. Might make them think about prison too!
This issue is a bit more complicated than you think.
In my experiences. I hate the SiteKey. I called and tried to opt out. I told them I was smart enough not to get duped by a phishing site. they refused, said it was part of it now.
My other experience was with my 70 year old father. He had no idea why he had blueberries, of how the picture got there even. He would not have cared what picture is there. He does not read the fine print, he just clicks and clicks to get in. I told him. You don't see blueberries, don't put in your password.
Overall I think it is a novel idea, but just like passwords, it will not work very well.
The people testing this were form Boston...Hell the people are scared of light brites...Troll troll troll your boat.....
The greatest revenge in life is massive success.
If I go to log on, I see a grid of 12 boxes. This grid changes every time (minor pain)
in each box is 2-3 letters & 1-2 #'s that are randomly distributed on each page load.
I have to hunt for my password each time.
I click the individual box that represents the password characters 1 by 1, and something in that box gets added to the password box on screen.
look at a us keypad phone- if that PRECISE result popped up in the randomizer and my password is stick5tome
it would transmit 7842558663 to the website.. which would run the pattern against my password and approve.
how can this be used/thwarted?
every day http://en.wikipedia.org/wiki/Special:Random
Last night, I spent literally an hour going through the images they had available to choose from, for the "SiteKey" image for my account. The site only shows you 8 or 10 images at a time, and it randomly repeats some previously-viewed images in each subsequent set of images, so it will take a long time to see every image. The images are organized into at least 5 different categories - I only looked at the images in the "Business and Technology" section.
:)
I paged through at least 1500 sets of images, before choosing my image. I'm sure there were more images, but I finally stopped paging through them when I found an image I liked. Yes, I apparently have too much time on my hands.
The images themselves (at least in the section I selected) are an interesting mix of old and new technology images - lots of old and new desk phones, music recording equipment (e.g., reel-to-reel tape decks and '80's keyboards), ancient and modern computers and peripherals, electronic components and parts (circuit boards, CPUs, etc.), automobiles and trucks, farm equipment, tools, and lots of other things.
Has anyone else who has signed up for BoA web account access scrolled through these SiteKey images like I did?
Pete
P.S. This is my first ever Slashdot post, after many years of lurking. Hello!
Well done, sir. I was about to reply since I, like you, have seen the unemployment line in my day through no fault of my own. But it looks like you beat me to it. I tip my hat.
Sony ha
I could think of several ways, both completely social and lightly technical to get around site key. Even if somebody gave me the grant money that MIT got for this, I would not write it up for public consumsion. I hope the MIT folks know some other techniques and just released this one to tell people to not be stupid. The study itself is flawed. Would you volunteer to login to your bank account on somebody else's computer? NOT ME! I think this study would attract only dolts.
"I was gratified to be able to answer promptly. I said I don't know." Mark Twain
How is this a flaw in the system? I think it's a flaw in the users.
What you need to do is educate people on how to read the damn url instead of selling them on security measures that the allegedly secure website uses. Education. Is. The. Key. This reminds me a lot of people that used to open the "brittany_spears_naked.jpg.vbs" files in their outlook express email clients. Half the people that are scammed fall for this stuff because they don't know how to properly read a URL or a filename. It's not that difficult, but in the beginning, when they get their Internet Cherry popped, it can be confusing. People should have to pass a test before they can have internet access. Like a drivers' license. Its a small prevention measure that can really save people a lot of grief.
All security systems which require human interaction are flawed.
B of A simply needs to make sure the user is paying attention to the sitekey. This is easily solved by presenting the user with _multiple_ keys and asking the customer if their key is present. Present additional sets of keys until they answer yes. If, at any point, they answer incorrectly, make them read a detailed explanation of the sitekey system and the dangers of phishing.
However, I believe none of this should be necessary as the correct mechanism is already in place... the server certificate. Unfortunately, the average Joe seldom if ever checks server certificate details to ensure validity. Shouldn't browsers advertise this information with something more than a tiny lock icon?
Anyway, both systems fail due to a lack of end-user education. This will never change.
Bank of America's SiteKey feature is, for the most part, an improvement over previous security measures. It is designed to mitigate basic phishing techniques, not to protect against man-in-the-middle attacks or other more sophisticated hacks.
Other banks use different measures, each of which is typically aimed at a different security problem. HSBC uses a "virtual keyboard" to mitigate keyboard loggers, for instance.
But the basic flaw in all of these security measures is that they rely on knowledge to authenticate a user. The problem is, knowledge is transferable. Whether it was a keyboard logger or a phishing attack, whatever the company is using to try and make sure you are who you say you are can be used by somebody else.
The only way around this is using a combination of both knowledge *and* something non-transferable. This can be biometric (retinal, finger print, face, whatever), or something a lot more simple (and cheap), such as a smart card. (Yes, I know a smart card can be stolen, but it's going to be a *lot* harder to steal a smart card AND the login information.)
Using a combination of transferable and non-transferable authentication requirements means that even if somebody phishes my login/password/sitekey/whatever, if they don't have the little card on my key chain, they're not getting into my bank account.
It's just a matter of time before this becomes widespread and even required. Microsoft already requires this for all employees accessing their company network, and support for this kind of two phase authentication is built into Windows Vista.
As the technology becomes cheaper, it will slowly become an option for banking customers, and eventually a requirement.
It seems likely to me that most people thought "Hmm, this page is suspicious", but that the obedience to authority (OTA) principles Milgram demonstrated made them go ahead and log in anyway.
It's not clear to me how you could fix the experiment to avoid OTA behavior overriding and destroying your actual data.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
The previous sign in system at BofA had you enter your social security number. Now, at least, there's nothing really identifiable to you unless you decide to do it. Further (I don't think this has been brought up) it's not just a picture. You get to name the picture. You could name a picture of a parachute "mydoghasfleas." This combination is what is shown to you before you enter a password. Signing up for this thing is not trivial. There's a ton of stuff to do before you get it working. It is just incredulous to me that after going through the hassle people would ignore the system. It is even more incredulous that they found 30 people, took them somewhere else, handed them a computer, and told them to log into their bank accounts. No wonder the Nigerian scam is still going. THEN 28 out of 30 people, under these very suspicious circumstances, ignored the system? WHERE did they find these people?
How about a moderation of -1 pedantic.
I have aB0A credit card after they bought Fleet. Loved the Fleet site, was easy to get into (for users, they still required a reasonable password), could view my bills, easily see my balance due as of the last bill, etc. The BoA site originally gave me no option to see the last bill, nor to see the balance due on it. I HAD to refer to my paper bill if I wanted to know, and when i went to sign up for eBill so I could auto-pay via my USBank bill pay, I never got a single email and paper bills stopped, and USBank's side never enabled so i turned it off, back to paper bills. Even worse, USBank says the BoA side is flawed because when I request eBill via USBank, the BoA side says I already have eBills enabled and i have to turn it off, which in the BoA site it says it is off.
And, as of about 6 months ago, I can't even log into the BoA site because their system is so overly complex. I have no idea why they think that using a SSN for the login name is "secure" but they don't give a choice, their password requirement is ridiculous so I rarely remeber it, and the SiteKey probably works great for people with strong visual memories, which I don't have so i can never remember my key either. Maybe if I could upload my own pic to it, then it might work. As is, it's a turd and I no longer use my Bank of America card because if it.
Strong passwords are important, but at some point they become so complex that you have to write them down and then they aren't so strong anymore. I have 2 that are this way on my desk, I'm not worried because the sites/servers they are for aren't written down and since there are only 2 i know which is which, but if I have maybe 10 or 15, or one for every damned site I had to login to, it would be impossible.
Let users choose a login name, and let them choose a password. And mention the password restrictions on the damned login page so memory can be jogged. Why is this so much to ask for? And don't go on about "oh but of the hackers know the requirements then it's easier to brute force" bullshit because they can get the requirements off the sign up page anyway. And it's not hard for a server to detect brute force attempts and ban them. Pretty sure BoA though I was trying to hack my sitekey and locked me out.
- Disclaimer: Information in this post deemed reliable but not guaranteed.
This summary got me thinking about how one decides whether or not to trust a given physical bank. Creating a fake bank building would be quite difficult, so the physical building, proper signage, staff, and the presense of other bank customers present are good signs that a given branch is legitimate. These are all either trivial to duplicate or impossible to see on a website. A website has two things that are less easily forged: the domain name and the SSL encryption.
The domain name can be made very confusing as with bankofamerica.com vs. bankofamerica.com.phising-site.info and other URI obscuring techniques. One way to reduce confusion would be to display the domain name perhaps on a separate line, or perhaps with the last two or three components highlighted in some way... Or completely change the browser interface. Take XKCD's wonderful map of the Internet. This is the browser start page. Type in "bankofamerica.com". The browser performs a DNS lookup, and then zooms in to the appropriate area of the map. As it zooms closer, the bank customer might see some familiar neighboring websites pass by. The customer learns the virtual but fixed location of the bank's website, and has a way to find that site again without using a search engine or typing anything: simply zoom in to the relevant area and the browser will flag sites you've visited in the past. A phising site is hopefully not likely to have an IP address near the bank's.
Does this have a chance of working? Many sites have multiple servers, and I imagine the largest have servers distributed very distantly on any map of the Internet; a customer might learn a few different locations, but what is he to think when a new location comes up?. IPv6 would also present a challenge with its vastly larger address space.
As for SSL, the small lock icon or a yellow address bar never struck me as being very noticeable. There are two key pieces of information a bank or other store customer would like to know: are my transactions encrypted (well, I would like to know this) and is this really my bank? I haven't come up with a good idea for this one, other than perhaps an animated cable connecting the browser text back to a small and zoomed out map of the internet to represent the connection between the browser and the remote computer. An unencrypted connection might be indicated similar to the address bar with color or a lock icon, but would be an animated during download or upload progress to make it more clear what exactly was being sent to the remote computer. As for trusting that the remote site is actually my bank, I wish browsers (and I think this may exist for some) had a way to personally trust a certificate, and I wish banks would include certificate fingerprints on their documents similar to physical addresses and telephone numbers, but this suffers from the same complexity problems as PGP.
Well, what say ye? I would love a browser that behaved like a zoomable map of the Internet, even if only for novelty's sake.
anyone notice where this study took place? the same place that confused light brights for bombs.
Spiral out. Keep going...
Ironic... I just blogged about my credit card company doing this sort of thing. But it ultimately doesn't solve the phishing problem. But by making the password a combination of a user selected token and a picture question password, I think mutual authentication can be improved. It's still not as strong as two-factor, but getting close.
Nevermind the fact that there was no control group in the study and the number of users is not nearly large enough to come up with the conclusion that it is a flawed system.
"You had this look that of an angel, it was such a bad disguise" --Dishwalla
Just get new customers.
Perhaps the users thought the controlled enviroment was, you know, controlled.
Assuming they didn't do this study in a cardboard shack with an abused laptop fished out of the garbage of course.
Dewey
you mostly understood my proposal
and the part about caputuring logon 3-4 times would defeat it
it's been my experience that 90% of phishing sites are down/gone removed in very short timeframes...
I would think clueless newbies would not log in multiple times over the length of time required for multiple events to be recorded.
every day http://en.wikipedia.org/wiki/Special:Random
Dewey
...is, as always, the human.
I think prolly to get people to agree to a security study and then send a month or whatever later send them, via email, a pseudo phishing type thing to see if they'd recognize it as such at home or wherever it is they normally check email and do online banking.
.. not having them sit in some room where they think they are trying to satisfy the study's requirements and therefore ignore the sitekey image being wrong.
That's the proper way to do this experiment imho
In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.
Based on that description, the researchers did not prove that SiteKey is flawed. The researchers proved that most people are idiots. I don't think that qualifies as a ground-breaking discovery....
/. If the government wants us to respect the law, it should set a better example.
How many people rejected participation in the study out-of-hand, simply because it involved online banking with their personal account in a non-secure environment? I know I would.
When I first saw SiteKey feature on my BofA account, I was impressed. The SiteKey system is very effective. It's an operator who's flawed.
perhaps the experiment was flawed.
I doubt it. I think it is because most people (58/60) are nearly retarded.
The first post is right. The people are flawed.
The article is overly critical of the system. My wife and I are also customers BOA, and we're very clear on how it works, we expect to see her custom little picture when logging in. For us it is great security against phishing attacks.
If someone representing BoA asked me to do a study, in their office on their network. If I showed up, I would allready feel pretty secure in thier testing environment. If i sat down at a company computer on their private network. I would make the assumtion that everything is ok even if i didn't see the logo... on the other hand if I was on a public PC, or a on a public network , or even my on my home network, I wouldn't login. They are using social engineering here on accident, they are testing the users trust in the testing company not the website. I think that invalidates any outcome, of this study.
Ad eundum quo nemo ante iit!
I'm sick and tired of "verifying that my SiteKey is correct".
All they did is make the login process arduous. Instead of being able to bookmark one page, go there, click a button to make Roboform log me in, I have to click a button, then wait for the page with their retarded SiteKey to load, manually enter my password, then hit enter and wait through another page load.
I'm completely immune to phishing attacks because I simply don't use links from emails. I only ever use my own bookmarks to get get to my bank's page. All sitekey does is waste my time.
Question everything
Are we talking "super-moron" or what?
Any technology distinguishable from magic is insufficiently advanced.
Like eating heathy, exercising, etc. Not to mention remembering to take pills/medication on time. In other words, we have to choose to follow their advice.
Are doctors flawed because I still can't pig out on greasy foods and smoke all day without worrying about health consequences?
Okay, so it points out that people don't pay attention to the security features which are available to them and use them.
Hell I could have told you that, without a big study
I think reporting on this does a disservice to security more than it helps. Now every other banking manager is going to say, why should we go to that much trouble. Some geek is going to find some flaw in it and then they are going to report all over the internet "how our security is flawed".
They added a security feature and nobody uses it, That is what it should say. Not that it is flawed.
I could report that Norton security, Sophos security, and various other Internet Security Suites are flawed because users can turn it off and not use it.
This is aluminum tin foil hat reporting at best.
He who said 1,000,000 monkeys on 1,000,000 typewriters would eventually type the great novel, never saw an AOL chat room
I think the title is flawed, its the fault of the users of the survey to ignore the site key how can you justify saying the sitekey system was flawed? Raghu
If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)
Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.
IMHO there is a more fundamental flaw in the study - and any study of this type: Selection bias.
They conducted a study in which people were asked to access their own bank accounts on computers and networks controlled by the experimenters (where they could then hack the site presentation and record the subjects' actions).
Nobody with a CLUE about online security would participate in such a study. (Think about it for a minute: Would YOU "participate" in such an "experiment", using YOUR own actual bank account and access code?)
So their pool of experimental subjects was drawn from the clueless subset of the population.
I'm not at all surprised by the results. (Except perhaps that two actually refused to enter their codes when the security image was not correct.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I misread the title at first glance and I thought, wow, that IS news, then I reread and wasn't surprised at all. How disappointing.
I've wrote numerous letters to BoA regarding this, and im suprised the study didnt cover this. I don't see how this does anything but provides a false sense of security.
While the study pointed out how the sitekey is generally unused on client end, it dosent cover how it is really flawed.
Sitekey primarily shows you an image you select at an early occasion, so you can verify its actually the site and not a phish. When you login with your username, it shows you your sitekey image, and says only type in the pw if its proper.
So, whats to stop someones phishing site, from remotely connecting from itself to BoA's website, using hte username entered in the phising site, and retreving the sitekey image shown to the phising script, and displaying that on the phish site to the user?
It completely circumvents the siteky, and leaves users thinking that since the phishing site is showing the proper image, it is an authentic site and okay to enter their password, which they then would.
Anyone else considered this?
Seems to me that people who can't figure out how to use SiteKey don't deserve secure banking. Seriously, how hard is it to understand those little pictures? These people probably shouldn't be allowed to use computers, drive cars, or procreate either, but first things first...
I found it impossible to use Bank Of America through a DSL connection, so I'd have to consider it very secure since I can't access it! Its the first time I ever encountered this problem.
To their credit, though, they don't support Internet Explorer 7.0, so they are more secure than most.
...for men anyway. I mean don't all BoA men customers use the, yummy, frosty mug of beer?
It's flawed because the image often takes twice as long to load as the signin page. Since I consider myself smart enough to not get phished, I've added sitekey.bankofamerica.com to my adblock filter and now I can log in much faster.
Why can't a phishing program just display the SiteKey?
It's pretty easy to get a person's SiteKey off someone who's using wireless, anyway, since all the sitekeys have different file sizes...
Financial institutions should not worry about phishing attacks. It's not their job.
1. The user needs to learn how to check a domain name to determine if it's being phished.
2. Banking websites need to stop creating extraneous domain names. When I log into www.mitfcu.org (my institution's official homepage), the actual pages come from www.mitfcu-online.com (why?????)
3. Browsers are incorporating phishing protection these days already.
I work in online banking for BofA.
I have used almost all the major websites, and some smaller ones and I wish my credit union was as great, I end up using my BofA account to view all my others, My Portfolio, and I can do transfers to and from my Credit Union from the BofA website.
I do agree that the system could be more informative, setting better expectations on what the feature does. All of you are about to experience this same feature, most banking companies that offer online banking agreed jointly to implement this, Bank of America is just leading the way. We have the most online banking customers, and the feature has been reported several times as being effective in lowering fraud, both attempts and total costs the bank experiences.
The final part of any security system is the person using it.
If you have built castles in the sky, your work need not be lost. That is where they belong, now go out and build the fo
SiteKey is properly explained to users. Unfortunately, there is no security patch or protection for human impatience and stupidity. There's nothing wrong with the system, it's the users who're at fault. Badly written headline.
This security method is seriously flawed. It is supposed to protect users who would be scammed by phishing attempts. However, it requires users be moderately aware of what is going on security-wise. If somebody is security unconscious enough to get scammed by a phishing email, which requires quite a bit of unconsciousness, considering how often banks and the evening news warn against it, they will be unconscious enough to miss an image, which requires a moderate amount of unconsciousness, seeing as it is explained once, and only by one or a few banks, and maybe not as clearly as, "Never click on a link in an email message."
They phased out SSN as username, and if you still have that, you can change your username online.
The real problem is the START of authentication. On the identity theft / SSN is a secure factor kind of level. NOTHING in a public record should be a secure factor; it's easier for the crooks to look that up than for you to remember it.
Another really basic problem is this: US banks are setting up the systems, but they have only moderate legal liability for problems from it.
However, I don't think you're right about the extent of a pain it has to be to use a better system for online banking.
The basic online banking problem is that you can't guarantee the path between you and their server - so you need to change the auth very frequently. But you can't, because people can't handle the changes themselves - so people need a dongle, or a book of pwds.
The simplest system is a simple dongle where you push a button, it gives you a one time pwd, and you enter it along with your regular pwd. This is still vulnerable to people hacking into your account "live" at the same moment you're logging in. (And you can't just prevent the "duplicate" logins because they can just as easily block your actual login so it's not duplicate.) But it's better.
Assume a small device with, say, 11 keys and a little black and white screen and the ability to beep - and that's a USB dongle with One Time Pad hardware.
When you try to login to the bank's website, have this super-dongle communicate with the server through the computer's network connection. It can't guarantee the computer or network doesn't redirect the packets, but it can do some crypto certificate magic to make reasonably sure it's got the right server before it talks and can talk over an end to end encrypted channel using something stronger than normal SSL. You enter at least a PIN into the super-dongle itself, for it to transmit rather securely.
Go about your banking session via your normal web browser. When it comes time to make a transaction, everything happens as normal, except that the "confirm" page happens on the dongle - the dongle displays a brief summary of the transaction and you hit "yes" - or maybe you enter the whole-dollar amount of the transaction.
Your web session could, of course, potentially be hijacked under this system, because it can't be stronger than SSL. Although under certain circumstances the super-dongle could start furiously beeping. So your statements are only protected by a normal level of semi-security. But your PIN and your transactions are both protected quite well.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
If its a link coming from somebody who has my financial information. Its spam/phishing. Sorry guys, you're waisting bandwidth sending me emails.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I have to agree with many replies to this post. "User Education" is a flawed process. We (IT professionals) expect users to have general knowledge of security concepts and common sense. But at the end of the day we have users that have ID's for online banking, email accounts, work, and anything else you can think of. Chances are the ID/password combinations are not the same and therefore are recorded for remembrance. Now take security best practices and apply them to this scenario. Strong random passwords, password changes every 30 days, etc...etc.... What does this equation net? Non-compliance, it's too much darn work. So 85% of the users are using easy to remember passwords, not changing their passwords and recorded in some easily accessible location. I would love to see the top thinkers in the industry come up with a user friendly yet ultra secure solution and all of our lives would be better.
Despite them saying that it helps prevent phishing (which it might in some small way), the main purpose is so that the Bank feels more secure about it. Sitekey is more like a "known terminal personally accessed by this login holder, who answered security questions, and BofA has a stronger claim against someone fraudulently claiming his ID was stolen." It doesn't strike me as any more secure from my side of the transaction.
I'm a Bank of America customer and a regular online user.
It would be nice if BoA would put an 'i'm not an idiot' button somewhere that would offer folks the ability to OPT OUT of all the redundant buttons and IDs and sitekeys and all that stupid crap. I don't want it. It's just a waste of time.
Once again 99% of people must be made to suffer for the 1% of idiots out there -- the idiots who actually fall for phishing scams.