Study Finds Bank of America SiteKey is Flawed

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

This could be solved...

[Gnissem]

If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.

Newflash!

[SNR+monkey]

Enhanced security measures thwarted by stupid users. More at 11!

It seems like most security systems based on users not being idiots are doomed to fail. Phishing attacks work because people don't follow normal security procedures, making the authentication process longer/more involved for the user seems to be an inherently flawed idea because it trusts the user to know what is best for him/her.

Re:Newflash!

[gsslay]

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Here it was the people who led them into the room and stood about with clipboards. People are used to being told what to do by other officious looking people.

On a website all it needs is an official looking statement at the top of the phishing page that says "We are sorry, but our image security is broken just now, please log in as normal while we fix it, thank you." People are used to being told that computer systems are down and they should manage as best they can while they're repaired.

You simply can't regulate for people not willing to think for themselves.

Sensationalist headline...

[spicyjeff]

The SiteKey isn't flawed, the people are.

Re:Sensationalist headline...

[jalefkowit]

The SiteKey isn't flawed, the people are.

People are, by definition, flawed. Any security system that is predicated on this changing sometime soon is broken.

Re:Flawed system or flawed usage?

[jsnipy]

Agree. This could be said about anything where users do not pay attention or bother understanding.

meh - controlled environment?

[hashmap]

1. go to an unusual place,

2. sign an agreement form,

3. follow instructions that say: "Log into your account"

4. you're aware that people are watching you and will analyze what you did

whatever results they get do not prove anything other than:

People placed in a unfamiliar, controlled environment with Harvard scientists ogling at them will not check the security image.

h

Re:meh - controlled environment?

[seanadams.com]

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all.

It works for me...

[John.P.Jones]

You can lead a horse to water but you can't make them pay attention to security concerns...

The BofA login is helpful to me, I fully expect to see my login token when I login to my account and would not login if I didn't see it. Some people won't pay attention and there isn't ANYTHING that BofA could do to prevent that (that isn't outrageously inconvinient for me.)

SiteKey is not to protect customers

[sexyrexy]

It's to protect Bank of America from liability. If someone's account integrity is compromised due to phishing, the bank's ass is covered - they implemented a two-way authentication, the user just chose to ignore it (after indicating they read and understood the terms and function of the SiteKey)

Study concept seems lacking

[reyalpdemannu]

So they brought 60 people into a room, told them to use their bank account, and then got surprised when they actually did?
I am going to bring 60 people into a room, present food to them and tell them to try it, and then publish a study about how they failed to notice the lack of a Health Department certificate in my building. Then I'm going to write into Slashdot about it.
In my mind, there is a better way to conduct a study about banking security than to bring in 60 people and instruct them that the entire purpose of their visit is to log in to their bank account when they sit down.
But I, for one, welcome our SiteKey overlords.

People are not "Flawed"

[jmagar.com]

Those of you stating that the problem is with the users are somewhat mistaken. At some point we as an industry are going to have to get more professional and stop blaming the users for all of the system problems. Let's take a new approach: include this requirement in your designs: A user may not understand the whole system, much in the way that you don't understand all the inner working of your automobile. A user of the system is not required nor expected to understand how it works.

Now, go forth and design systems that work, instead of blaming your design failure on the user.

Re:People are not "Flawed"

[Jennifer+York]

If you think you know all the inner workings of your car, you must not be an experienced engineer. Do you understand your EFI? The timings, failure modes, economy vs performance... What about your airbag system? At what G does it deploy? Your ABS... what sample rate does it have?, latency for actions?... Dual zone Climate controls? Even something as simple as lights and turn indicators: what controls the rate of the turn signal blink?

My point is that I doubt very much that you understand the inner workings of your car. If you do any work on it, then it is through a procedure manual that includes all the troubleshoot steps for you, and at no point do you really understand the whole system.

Re:People are not "Flawed"

[woztheproblem]

Interesting idea...

Re:Flawed system or flawed usage?

[SNR+monkey]

The website seemed pretty clear to me. Right under the login section is a line that says "Where do I enter my passcode?" Clicking on it reveals the text:

We are changing the way you sign in to Online Banking to better safeguard the privacy and security of your personal information. Previously, you signed in to Online Banking using your Online ID and Passcode. From now on, you'll also use your SiteKey. Here's how this new service will work:
You'll enter your Online ID and click the Sign In button.
On the next page, your SiteKey will then be displayed. If you recognize your SiteKey, you'll know you can safely enter your Passcode. If you don't recognize your SiteKey when you sign in, don't enter your Passcode.
Your personalized SiteKey helps you know for sure that you are at the valid Bank of America site.


NOTE: If you have not yet created your personalized SiteKey, you will be prompted to do so before you can sign in to Online Banking.

I guess it is too long of an explaination. It probably needs to be prefaced with something eyecatching, like big bold text that reads "If you don't read this and fall for a phishing scheme, then you're too stupid to use a computer"

Re:Flawed system or flawed usage?

[UnknowingFool]

Nope, it's clear, but I fear users are oblivious. That's why Vista's annoying security notifications will not be as effective MS would like them to be.

Allow TakeControlComputer.exe to run?

"Yes, quit bothering me. How do I turn that off? Let me google it."

Re:Flawed system or flawed usage?

[Znork]

"If you don't read this..."

Actually, I'd suggest 'if you read this and believe this in any way makes you safe from phising you should take your banking offline'.

This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.

Whoever thought this up obviously missed a few computer security classes.

"It's the users, not the system!" syndrome

[Brown]

There're a number of comments saying things along the lines of:

..the system itself is not flawed, but the way the users choose to operate on it

Enhanced security measures thwarted by stupid users. More at 11!

The SiteKey isn't flawed, the people are. It's a common error to ascribe problems with usability to 'idiot users'. The real problem is software that's designed for the wrong target group (experts, where it should be everyman) or just badly designed, confusing or poorly explained interfaces. The fact is, this system *has* to be designed to cope with clueless users. If it's only safe for use by people with an IQ over 100, then half the population will be at risk!

Re:Flawed system or flawed usage?

[bjourne]

It was not to hard to guess that that would be the very first response to this article. It is very typical for techies to expect users to use the system as the system was designed. That is not what happens in the real world. The usage of the system is equivalent to the system itself. If the usage of it is flawed, then the system, too, is flawed.

Many systems require you to change your password once a month or more often. Of course, the password must not be based on an English word and must contain both uppercase and lowercase letters and digits. Is it then a user failure when every other user forgets their password? No! It is the system that is faulty.

Therefore Bank of Americas system is faulty, most password based systems are infact faulty. It is not an acceptable excuse to put the burden on the user. It is a cop out. We are techies, we should make stuff work. It is our job.

Lack of explanation, and technically poor.

[raehl]

My bank started doing this. They way I was introduced to it is when I logged in they asked me to select a picture and then pick a label for it. There was no explanation whatsoever.

Now, like most Slashdot readers, I'm a tech guy, but I didn't know what they were trying to do. My GUESS was that they were going to have me enter in the caption each time I logged in as a sort of separate password. It wasn't until I read some news article about it much later that I understood what the point of it was. I can't imagine your average user would have any idea either.

But, lack of explanation aside, the 'solution' is technically useless as well. So when I go to log in you display a picture and I have to not enter my password if my picture doesn't show up. but *ANYONE* trying to log in gets to see that picture. So all you've done is add a little work for the phishing site - when they're pretending to be the bank, they just have to go to BoA's site and start your login process and Bank of America will kindly display the picture that the phishing site needs to show you to make you think the phishing site is legitimate. If anything, this makes the phishing site look *MORE* legitimate. "Well, this site looks fishy, but it's got my photo, so there must not be a problem."

Yahoo has a better system - they show you a captcha you've picked, and they explain what it is, AND they only show it to you if you're logging in from a computer you've registered to see the captcha. Doesn't help you when you're not at your home computer, but works for most people most of the time and is thus an improvement without any drawbacks.

Biased sample?

[ArsenneLupin]

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all. You may be on to something here. Maybe most people who they did ask refused to participate... phearing that the entire experiment might be a setup trying to get at their banking passwords.

The few that did participate where either excessively trusting or clueless, making them more likely to not worry about the missing image either.

In a word, they used a biased sample.

Re:Flawed system or flawed usage?

[Tom]

Rule #1 of user interface design: The user is always right. If he does something wrong, thank him for pointing out a flaw in your interface.

Re:Flawed system or flawed usage?

[the+phantom]

It was not to hard to guess that that would be the very first response to this article. It is very typical for doctors to expect patients to use medicines as medicines were designed. That is not what happens in the real world. The usage of the system is equivalent to the medicine itself. If the usage of it is flawed, then the medicine, too, is flawed.

Many medicines require you to refill your prescription once a month or more often. Of course, the prescription must be refilled by a trained and licensed pharmacist. Is it then a patient failure when every other patient forgets to refill their prescription? No! It is the medicine that is faulty.

Therefore, the medical system is faulty, most prescription based systems are, in fact, faulty. It is not an acceptable excuse to put the burden on the patient. It is a cop out. We are doctors, we should make stuff work. It is our job.

If a patient abuses a drug, or refuses to take the full course of drugs (in, say, a case of TB), is that the doctor's fault? There is only so much that a professional can do to mitigate against the stupidity of an end user. Perhaps password authentication is flawed, but I don't see you proposing a better solution. Perhaps BofA's system is fundamentally flawed, but I don't see you offering anything else. Regardless, at some point it is up to the user to protect their own interests by not taking 30 sleeping pills at a time, or giving out their passwords to other people.

Re:Flawed system or flawed usage?

[tha_mink]

As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site

I couldn't agree more. People don't read. After our focus groups preceeding a recent launch, it was explained to me by a marketing fellow that we needed to explain a process and provide instructions for something that was already explained - in plain view.
The Marketing Guy: We need to provide instructions about >
Me: You mean THESE instructions (pointing to the paragraph clearly notated "Instructions")
The Marketing Guy: Hrm...maybe we should make that in all red.

It's a common problem with website users in general. They don't read. They just look for things in red, or pictures to click, or forms to fill in and rely on the system to catch mistakes for them and warn them.

That's not going to change anytime soon. Maybe a better approach to the problem would be for BOFA to make a random phishing attempt on their customers and when fooled, the customer would get the ole'

The system encountered an error, when you entered your FUCKING BANKING PASSWORD INTO A NON BOFA site. Please come back when you're not a complete dolt.

What else can they do?

Re:Flawed system or flawed usage?

[Dahan]

This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.

Whoever thought this up obviously missed a few computer security classes. No, if the user enters his username, but doesn't also supply a cookie (tied to the sitekey.bankofamerica.com domain), it will not disclose the picture, but instead require you to supply the state your account was opened in. If you get that right, it will then ask you a question that's supposed to confirm your identity ("What's the name of your first pet", "Where did your parents get married?"--that type of thing). When you set up your account, you supply the answer to three of those questions, and the system will pick one of them to challenge you with if your the cookie isn't supplied.

Re:Flawed system or flawed usage?

[bitslinger_42]

We are techies, we should make this stuff work. It is our job. While an admirable sentiment, it misses the point completely. The problem here isn't really whether passwords are good or bad. The problem really isn't even whether users are stupid or not. The problem is that the vast majority of the population do not know, nor do they care, about computer security (or physical security, for that matter). Users have been conditioned to know that their money is protected when dealing with big banks. My savings deposits are insured by FDIC. Credit card companies cover most, if not all, of the expenses from credit card fraud. If a user has no personal risk, then any amount of effort is too much to protect the asset. There is no technical solution to this problem: I cannot write a program to make all the users care, and I cannot compensate for blatant stupidity. The best that techies can do is what SiteKey does: decrease the risk to the people who care. With relatively low up-front costs, it would appear that SiteKey has decreased BoA's loss potential by 3%. Not perfect, sure, but better than not doing it. When dealing with employees, rather than customers, making the users care is simple: If you're too stupid to pass this test, you're too stupid to remain employed.

Re:Flawed system or flawed usage?

[russ1337]

"Did you read the paper?" -- Yes.

"The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness."

Exactly. That is my point, the people knew_they_were_part_of_a_study, and may have reacted differently to how they would normally.

I recall reading about a study (here on /. I think) where people were required to inflict pain on another person whom they could hear in the other room, when that person did not achieve what was required. It was determined that because the person knew they were part of a study/experiment, they would inflict far more pain than they would normally - especially when told 'continue' by the program supervisor. Even after the 'actor' in the other room was in extreme pain, and exhibiting the audible characteristics of dying.

Re:Flawed system or flawed usage?

I hope you realize that all those security questions don't make anything more secure either. In fact, I am of the opinion that they make things LESS secure, and they certainly make things less convenient for me.
Think about it. If I answer the questions truthfully, then a determined attacker would most likely be able to find out the answer to them through some means or another. If i answer the questions untruthfully then I now have to essentially remember 5 different passwords. Doable for one site, but the difficulty rises quickly if I have more than one site like this.
Never mind the fact that answers to the questions don't have to be of the same strength as a Password. (eg. I can answer with only 4 letters but a password would have to have 8 letters and 1 number or something)
I think its good that banks want to make their sites secure, but they way the have gone about it lately has started to get to me. It hasn't made anything more secure (I feel less secure) but it has made it much more difficult for me to get to my own information.

I agree

[metamatic]

It seems likely to me that most people thought "Hmm, this page is suspicious", but that the obedience to authority (OTA) principles Milgram demonstrated made them go ahead and log in anyway.

It's not clear to me how you could fix the experiment to avoid OTA behavior overriding and destroying your actual data.

Re:Inherent flaw in studies of this type:

[Ungrounded+Lightning]

They conducted a study in which people were asked to access their own bank accounts on computers and networks controlled by the experimenters (where they could then hack the site presentation and record the subjects' actions).

Nobody with a CLUE about online security would participate in such a study.

As for the two groups who were not using accounts set up for the purpose: They would be unfamiliar with the account settings, have no personal stake in the results, and could be expected to try to bull through anything seen as a "bug" in order to perform the assigned task.

Unless explicitly informed that this was a test of the security features and that refusing to log in if suspicious was an option they would be expected to breeze past the login to get to the meat of the transaction - even if they wouldn't do so if this were their own account in their own normal life. Yet such an instruction would alert them at login time, biasing the test in another fashion. (Meanwhile, "behave securely" doesn't cut it for such a notice. Indeed, it would give them more to distract them during the experiment.)