Study Finds Bank of America SiteKey is Flawed

← Back to Stories (view on slashdot.org)

Study Finds Bank of America SiteKey is Flawed

Posted by Hemos on Monday February 5, 2007 @03:49AM from the trying-something-new dept.

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

24 of 335 comments (clear)

Min score:

Reason:

Sort:

Flawed system or flawed usage? by stillachild · 2007-02-05 03:53 · Score: 5, Interesting

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.
1. Re:Flawed system or flawed usage? by UnknowingFool · 2007-02-05 04:14 · Score: 4, Insightful
  
  Nope, it's clear, but I fear users are oblivious. That's why Vista's annoying security notifications will not be as effective MS would like them to be.
  
  Allow TakeControlComputer.exe to run?
  
  "Yes, quit bothering me. How do I turn that off? Let me google it."
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re:Flawed system or flawed usage? by russ1337 · 2007-02-05 04:19 · Score: 5, Interesting
  
  >>>"In my experience with the technology, websites do not adequately explain what it is you're doing and why"
  
  I'm a B of A customer, and I thought it was made pretty clear about how the sitekey worked - so did my wife (as non-technical as she is). If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)
  
  Also, I don't think I'd be logging into my BofA account on someones strange computer that was 'set-up' for me... fear of keyloggers and all that.
3. Re:Flawed system or flawed usage? by Znork · 2007-02-05 04:22 · Score: 4, Insightful
  
  "If you don't read this..."
  
  Actually, I'd suggest 'if you read this and believe this in any way makes you safe from phising you should take your banking offline'.
  
  This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.
  
  Whoever thought this up obviously missed a few computer security classes.
4. Re:Flawed system or flawed usage? by bjourne · 2007-02-05 04:23 · Score: 5, Insightful
  
  It was not to hard to guess that that would be the very first response to this article. It is very typical for techies to expect users to use the system as the system was designed. That is not what happens in the real world. The usage of the system is equivalent to the system itself. If the usage of it is flawed, then the system, too, is flawed.
  
  Many systems require you to change your password once a month or more often. Of course, the password must not be based on an English word and must contain both uppercase and lowercase letters and digits. Is it then a user failure when every other user forgets their password? No! It is the system that is faulty.
  
  Therefore Bank of Americas system is faulty, most password based systems are infact faulty. It is not an acceptable excuse to put the burden on the user. It is a cop out. We are techies, we should make stuff work. It is our job.
  
  --
  Football Odds
5. Re:Flawed system or flawed usage? by Tom · 2007-02-05 04:36 · Score: 5, Insightful
  
  Rule #1 of user interface design: The user is always right. If he does something wrong, thank him for pointing out a flaw in your interface.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
6. Re:Flawed system or flawed usage? by delinear · 2007-02-05 04:36 · Score: 3, Interesting
  
  In my experience with the technology, websites do not adequately explain what it is you're doing and why.
  
  The fault here doesn't lie just with the websites. As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site (I'm talking about the majority of users here, by the way, but it's not something limited to technical know-how either as many tech-savvy folk believe they don't need to read the instructions and just wade in).
  
  There is no easy answer here other than keeping the whole thing as simple as possible and incrementally adding measures which are as intuitive as possible until users become aware of and used to them, then adding more.
7. Re:Flawed system or flawed usage? by monkeydo · 2007-02-05 04:40 · Score: 4, Informative
  
  If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)
  
  Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.
  
  --
  Si vis pacem, para bellum
  The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
8. Re:Flawed system or flawed usage? by thebigbluecheez · 2007-02-05 05:17 · Score: 5, Informative
  
  As a Bank of America customer, I have to tell you that you're not entirely correct here.
  
  If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.
  
  In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
  What is your maternal grandmother's first name?
  What is your maternal grandfather's first name?
  In what city where you born?
  What was the name of your first pet?
  and 5 more that I don't care to take the time to count.
  
  After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.
  
  That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.
  
  What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions. /missed the aforementioned security classes //not an expert, just a user.
  
  --
  I like your Macs, but I don't like your Mac users. (with apologies to Gandhi)
9. Re:Flawed system or flawed usage? by russ1337 · 2007-02-05 05:40 · Score: 3, Insightful
  
  "Did you read the paper?" -- Yes.
  
  "The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness."
  
  Exactly. That is my point, the people knew_they_were_part_of_a_study, and may have reacted differently to how they would normally.
  
  I recall reading about a study (here on /. I think) where people were required to inflict pain on another person whom they could hear in the other room, when that person did not achieve what was required. It was determined that because the person knew they were part of a study/experiment, they would inflict far more pain than they would normally - especially when told 'continue' by the program supervisor. Even after the 'actor' in the other room was in extreme pain, and exhibiting the audible characteristics of dying.
10. Re:Flawed system or flawed usage? by Anonymous Coward · 2007-02-05 06:01 · Score: 3, Insightful
  
  I hope you realize that all those security questions don't make anything more secure either. In fact, I am of the opinion that they make things LESS secure, and they certainly make things less convenient for me.
  Think about it. If I answer the questions truthfully, then a determined attacker would most likely be able to find out the answer to them through some means or another. If i answer the questions untruthfully then I now have to essentially remember 5 different passwords. Doable for one site, but the difficulty rises quickly if I have more than one site like this.
  Never mind the fact that answers to the questions don't have to be of the same strength as a Password. (eg. I can answer with only 4 letters but a password would have to have 8 letters and 1 number or something)
  I think its good that banks want to make their sites secure, but they way the have gone about it lately has started to get to me. It hasn't made anything more secure (I feel less secure) but it has made it much more difficult for me to get to my own information.
This could be solved... by Gnissem · 2007-02-05 03:53 · Score: 5, Insightful

If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.
Newflash! by SNR+monkey · 2007-02-05 03:54 · Score: 4, Insightful

Enhanced security measures thwarted by stupid users. More at 11!

It seems like most security systems based on users not being idiots are doomed to fail. Phishing attacks work because people don't follow normal security procedures, making the authentication process longer/more involved for the user seems to be an inherently flawed idea because it trusts the user to know what is best for him/her.
1. Re:Newflash! by gsslay · 2007-02-05 04:07 · Score: 4, Insightful
  
  The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Here it was the people who led them into the room and stood about with clipboards. People are used to being told what to do by other officious looking people.
  
  On a website all it needs is an official looking statement at the top of the phishing page that says "We are sorry, but our image security is broken just now, please log in as normal while we fix it, thank you." People are used to being told that computer systems are down and they should manage as best they can while they're repaired.
  
  You simply can't regulate for people not willing to think for themselves.
2. Re:Newflash! by Tom · 2007-02-05 04:33 · Score: 4, Interesting
  
  The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Nonsense. We ask people to do things we can't expect them to - understand networking security. What we instead should do - and have been failing to for years - is build systems that are actually useable by human beings with little or no special computer knowledge. Or, if that is impossible (and the proof for that is still out!), insist on basic training as a prerequisite for letting people go online, much like a driving license.
  
  Why is SSL accepted and widespread and PGP isn't? Because PGP requires people to deal with things they don't understand like fingerprints, keylengths and all that other technical stuff. SSL doesn't. If there's a yellow lock icon in the status bar, everything is good, otherwise something is wrong. That's the level that normal people deal with and it's not a fault of them.
  
  You and I are the same, in areas we didn't study. What would you think if your doctor required you to understand every medical detail of that operation you need before he does it? You trust him to know his shit, that's what you pay him for, right?
  
  It's time we earn our pay.
  
  And I speak as a professional security guy. "User education" has failed because we tried to bring users to a high level of technical knowledge, instead of bringing the technical knowledge required down to their level.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
meh - controlled environment? by hashmap · 2007-02-05 03:55 · Score: 5, Insightful

1. go to an unusual place,

2. sign an agreement form,

3. follow instructions that say: "Log into your account"

4. you're aware that people are watching you and will analyze what you did

whatever results they get do not prove anything other than:

People placed in a unfamiliar, controlled environment with Harvard scientists ogling at them will not check the security image.

h
It works for me... by John.P.Jones · 2007-02-05 03:56 · Score: 3, Insightful

You can lead a horse to water but you can't make them pay attention to security concerns...

The BofA login is helpful to me, I fully expect to see my login token when I login to my account and would not login if I didn't see it. Some people won't pay attention and there isn't ANYTHING that BofA could do to prevent that (that isn't outrageously inconvinient for me.)
SiteKey is not to protect customers by sexyrexy · 2007-02-05 03:57 · Score: 4, Insightful

It's to protect Bank of America from liability. If someone's account integrity is compromised due to phishing, the bank's ass is covered - they implemented a two-way authentication, the user just chose to ignore it (after indicating they read and understood the terms and function of the SiteKey)

--

Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
People are not "Flawed" by jmagar.com · 2007-02-05 03:59 · Score: 4, Insightful

Those of you stating that the problem is with the users are somewhat mistaken. At some point we as an industry are going to have to get more professional and stop blaming the users for all of the system problems. Let's take a new approach: include this requirement in your designs: A user may not understand the whole system, much in the way that you don't understand all the inner working of your automobile. A user of the system is not required nor expected to understand how it works.
Now, go forth and design systems that work, instead of blaming your design failure on the user.

--
www.jmagar.com
-
The Real Question is... by Expertus · 2007-02-05 04:04 · Score: 4, Informative

when will these 'researches' be arrested for pointing out flaws in a security system.
Re:Sensationalist headline... by jalefkowit · 2007-02-05 04:16 · Score: 5, Insightful

The SiteKey isn't flawed, the people are.

People are, by definition, flawed. Any security system that is predicated on this changing sometime soon is broken.

--
Read my blog.
The system is actually technically flawed by jyoull · 2007-02-05 04:16 · Score: 4, Informative

Discussion and links to papers here:

http://bbaadd.com/blog/2006/08/security-why-siteke y-cant-save-you.html

This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.

Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.
"It's the users, not the system!" syndrome by Brown · 2007-02-05 04:23 · Score: 4, Insightful

There're a number of comments saying things along the lines of:

..the system itself is not flawed, but the way the users choose to operate on it
Enhanced security measures thwarted by stupid users. More at 11!
The SiteKey isn't flawed, the people are. It's a common error to ascribe problems with usability to 'idiot users'. The real problem is software that's designed for the wrong target group (experts, where it should be everyman) or just badly designed, confusing or poorly explained interfaces. The fact is, this system *has* to be designed to cope with clueless users. If it's only safe for use by people with an IQ over 100, then half the population will be at risk!
Biased sample? by ArsenneLupin · 2007-02-05 04:34 · Score: 5, Insightful

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all. You may be on to something here. Maybe most people who they did ask refused to participate... phearing that the entire experiment might be a setup trying to get at their banking passwords.
The few that did participate where either excessively trusting or clueless, making them more likely to not worry about the missing image either.
In a word, they used a biased sample.