Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Finds Bank of America SiteKey is Flawed

Posted by Hemos on from the trying-something-new dept.

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

1 of 335 comments (clear)

  1. Re:Flawed system or flawed usage? by thebigbluecheez · · Score: 5, Informative

    As a Bank of America customer, I have to tell you that you're not entirely correct here.

    If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.

    In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
    What is your maternal grandmother's first name?
    What is your maternal grandfather's first name?
    In what city where you born?
    What was the name of your first pet?
      and 5 more that I don't care to take the time to count.

    After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.

    That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.

    What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions. /missed the aforementioned security classes //not an expert, just a user.

    --
    I like your Macs, but I don't like your Mac users. (with apologies to Gandhi)