Study Finds Bank of America SiteKey is Flawed

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

Flawed system or flawed usage?

[stillachild]

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.

Re:Flawed system or flawed usage?

[russ1337]

>>>"In my experience with the technology, websites do not adequately explain what it is you're doing and why"

I'm a B of A customer, and I thought it was made pretty clear about how the sitekey worked - so did my wife (as non-technical as she is). If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Also, I don't think I'd be logging into my BofA account on someones strange computer that was 'set-up' for me... fear of keyloggers and all that.

Re:Flawed system or flawed usage?

[delinear]

In my experience with the technology, websites do not adequately explain what it is you're doing and why.

The fault here doesn't lie just with the websites. As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site (I'm talking about the majority of users here, by the way, but it's not something limited to technical know-how either as many tech-savvy folk believe they don't need to read the instructions and just wade in).

There is no easy answer here other than keeping the whole thing as simple as possible and incrementally adding measures which are as intuitive as possible until users become aware of and used to them, then adding more.

Re:Newflash!

[Tom]

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Nonsense. We ask people to do things we can't expect them to - understand networking security. What we instead should do - and have been failing to for years - is build systems that are actually useable by human beings with little or no special computer knowledge. Or, if that is impossible (and the proof for that is still out!), insist on basic training as a prerequisite for letting people go online, much like a driving license.

Why is SSL accepted and widespread and PGP isn't? Because PGP requires people to deal with things they don't understand like fingerprints, keylengths and all that other technical stuff. SSL doesn't. If there's a yellow lock icon in the status bar, everything is good, otherwise something is wrong. That's the level that normal people deal with and it's not a fault of them.

You and I are the same, in areas we didn't study. What would you think if your doctor required you to understand every medical detail of that operation you need before he does it? You trust him to know his shit, that's what you pay him for, right?

It's time we earn our pay.

And I speak as a professional security guy. "User education" has failed because we tried to bring users to a high level of technical knowledge, instead of bringing the technical knowledge required down to their level.