Study Finds Bank of America SiteKey is Flawed

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

Flawed system or flawed usage?

[stillachild]

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.

Re:Flawed system or flawed usage?

[pyite]

In my experience with the technology, websites do not adequately explain what it is you're doing and why. I have what is probably an above average information security background and I found myself confused at points. It's a stupid idea only further hampered by the fact that it's not explained well, all because the banks are too cheap to give people one time password tokens. While OTP tokens don't eliminate problems, they are a lot more useful than random images displaying. In addition, in the case of SecureID, they're tied to time and would be of limited use for phishing attacks.

Re:Flawed system or flawed usage?

[russ1337]

>>>"In my experience with the technology, websites do not adequately explain what it is you're doing and why"

I'm a B of A customer, and I thought it was made pretty clear about how the sitekey worked - so did my wife (as non-technical as she is). If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Also, I don't think I'd be logging into my BofA account on someones strange computer that was 'set-up' for me... fear of keyloggers and all that.

Re:Flawed system or flawed usage?

[delinear]

In my experience with the technology, websites do not adequately explain what it is you're doing and why.

The fault here doesn't lie just with the websites. As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site (I'm talking about the majority of users here, by the way, but it's not something limited to technical know-how either as many tech-savvy folk believe they don't need to read the instructions and just wade in).

There is no easy answer here other than keeping the whole thing as simple as possible and incrementally adding measures which are as intuitive as possible until users become aware of and used to them, then adding more.

Re:Flawed system or flawed usage?

[Uncle+Rummy]

I remember an internal site I worked on a while back in which we pursued an escalating series of changes to get the users to read important instructions. First, the key bits were bolded. Next, we increased the font size. Then we changed the color to red. After that, we added a modal popup (has to be closed before the user can proceed). Then we gave up. Most users simply don't read. Anything.

Re:Flawed system or flawed usage?

[Znork]

"If you have not saved your userid (and thus have to enter it, as you would at a phishing site)"

Unfortunately, that still doesnt help much; a trojan would have access to the cookie, and the phishing site could forward the security questions, faking lost or expired cookies (if it didnt just use cross-site scripting exploits to get it).

"If you can come up with something better, I'm all ears."

Well, it isnt easy to make the system foolproof, that's for sure. In a worst-case scenario (which is altogether far too common these days) you can assume that the user has been trojaned, the sources and destinations of any packet is suspect. You cant be sure what the bank is sending is what the user is seeing. You cant be sure that what the user types is what goes to the bank, and not what the trojan converts it to.

The only method I can think of that would make online banking secure even in that situation involve having an external device which can calculate a cryptographically secure checksum for a particular transaction which you'd have to enter for the bank to validate the transaction (and which would only be valid for those amounts and those accounts at this time), but that would be a pain (as you'd have to manually enter the relevant data into the external device too).

Basically it's a tough problem, but I get really annoyed when banks and others (certificates are a good example) try to sell a false sense of security. Either accept some things just arent secure, and allow people to deal with that (by checking their statements, running their virus scanners, etc), or implement more secure methods. I can understand the motivation, they want to fire all their tellers and dont want people to object to online banking for security reasons, but they simply have to make a choice here; if you cant make/afford a truly secure system, then use the savings to reimburse the customers who got cleaned out.

SiteKey Explanation insufficient.

[Marc_Hawke]

The problem is that it wasn't introduced well.

If someone is already familiar with the concept, then it makes sense. However, for most people, the explanation was an annoyance and a confusion one time when they logged in, and the rest of the time it's just an extra click before they can enter their password.

I have two banks that use that scheme for authentication. On both of them, one day they just popped up a picture and said, "what is this picture?" So you make a guess as to what is shown in the picture, and hope you guessed right.

On subsequent logins, they fill in your guess for you, so it seems ridiculous that they are asking what that picture every time.

Since the explanation was lost on most users, it's not surprising that they don't care that it's different.

Infact...if you just make a site that popped up a random picture and asked them to name it, I'd expect everyone would fall for it.

This isn't about customers being lazy or stupid, (well not always.) It's about the SiteKey deployment being inadequate and there being insufficient explanation for something that customers have never heard of before.

Re:Newflash!

[Tom]

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Nonsense. We ask people to do things we can't expect them to - understand networking security. What we instead should do - and have been failing to for years - is build systems that are actually useable by human beings with little or no special computer knowledge. Or, if that is impossible (and the proof for that is still out!), insist on basic training as a prerequisite for letting people go online, much like a driving license.

Why is SSL accepted and widespread and PGP isn't? Because PGP requires people to deal with things they don't understand like fingerprints, keylengths and all that other technical stuff. SSL doesn't. If there's a yellow lock icon in the status bar, everything is good, otherwise something is wrong. That's the level that normal people deal with and it's not a fault of them.

You and I are the same, in areas we didn't study. What would you think if your doctor required you to understand every medical detail of that operation you need before he does it? You trust him to know his shit, that's what you pay him for, right?

It's time we earn our pay.

And I speak as a professional security guy. "User education" has failed because we tried to bring users to a high level of technical knowledge, instead of bringing the technical knowledge required down to their level.

Re:As a BOA customer...

[Rodness]

I wholeheartedly agree. I am also a BofA customer, and while I have enjoyed a great banking experience with them, the SiteKey thing managed to piss me off. A year ago when they rolled out this crap and I was forced to sign up for it, I ranted on my blog about it. Here's an excerpt:

Bank of America has unrolled this stupid SiteKey thing, which just doesn't benefit the consumer much. It seems to be a way for them to have more plausible deniability without actually taking on any responsibility.

The idea is that you choose a little picture for your account, and the website saves a cookie on your computer. If you try to log into your bank account, and your browser has a valid cookie, the website will show your SiteKey picture.

If you recognize your SiteKey, you'll know for sure that you are at the valid Bank of America site. Confirming your SiteKey is also how you'll know that it's safe to enter your Passcode and click the Sign In button.

If you don't have a cookie then you're prompted with personal challenge questions that you have to answer in order to see your SiteKey picture. At that point if the right SiteKey picture shows up, you "know it's safe" to enter your actual password.

If I connect from a new computer, I basically have to enter a challenge response (password) before I can enter my password. It's simply a way for the bank to prove that they're the legitimate site, and that I'm not being phished. It doesn't actually authenticate me to the bank in any stronger way, since if an attacker knew the challenge answers and my password, he can still log in as me from anywhere. Granted, now he has to know more information, but it doesn't put it outside the realm of possibility. There will still be idiots who get phished and happily input their challenge, ignore the bogus SiteKey, provide their real password, and then find out all their money has been harvested away.

What really bothers me about it is that they're making it look like they care about security, but this is just another way for them to force the vigilance onto the consumers while providing themselves more loopholes to escape liability. It's another hoop that the consumer has to jump through, but it doesn't increase the responsibility on the bank's side of things. We need our government to make the financial institutions liable when their systems are exploited, instead of allowing them to blame the consumers, many of whom just aren't geeks and simply don't know any better. When it's an economic problem for the banks, then it will matter to them.

The site key is not in itself flawed...

[angelwalkwithme]

The site key is not a bad idea for those users who actually use it, but yes most people aren't paying attention. But I think it really ignores the more obvious solution. This is to frequently remind users to NEVER CLICK A LINK THROUGH E-MAIL. Type the website into your browser every time and you will never have this problem. I would put this scam in the same category as phone fraud phishing; most people know that you're not supposed to give your SSN or Bank Numbers when somebody calls you. This should raise suspicion immediately. I think the same approach for the internet is the best that we can hope for. Educate, educate, educate.

Re:This could be solved...

If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.

how does this kind of bad idea get modded insightful?

this would cause mass customer confusion - and when you have millions of people confused, the cause is not "insightful."

the obvious solution here is to add an extra step...

Click here if you see the appropriate security image THEN, AND ONLY THEN, give the user the opportunity to enter their password. Of course, you give the user an 800 number just in case they don't see their image.

Yes, it is an extra click for the user, but "cheap security" just doens't exist in some cases.

the problem here is COMBINING the picture recognition AND the password entry - it is too easy to ignore the picture recognition due to the habit of entering the password in the same step.

the solution is to separate the steps - put them in series, don't put them in parallel.