Study Finds Bank of America SiteKey is Flawed

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

The Real Question is...

[Expertus]

when will these 'researches' be arrested for pointing out flaws in a security system.

The system is actually technically flawed

[jyoull]

Discussion and links to papers here:

http://bbaadd.com/blog/2006/08/security-why-siteke y-cant-save-you.html

This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.

Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.

Re:Flawed system or flawed usage?

[monkeydo]

If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.

Re:Flawed system or flawed usage?

[thebigbluecheez]

As a Bank of America customer, I have to tell you that you're not entirely correct here.

If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.

In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
What is your maternal grandmother's first name?
What is your maternal grandfather's first name?
In what city where you born?
What was the name of your first pet?
  and 5 more that I don't care to take the time to count.

After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.

That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.

What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions. /missed the aforementioned security classes //not an expert, just a user.