Study Finds Bank of America SiteKey is Flawed

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

Flawed system or flawed usage?

[stillachild]

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.

Re:Flawed system or flawed usage?

[russ1337]

>>>"In my experience with the technology, websites do not adequately explain what it is you're doing and why"

I'm a B of A customer, and I thought it was made pretty clear about how the sitekey worked - so did my wife (as non-technical as she is). If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Also, I don't think I'd be logging into my BofA account on someones strange computer that was 'set-up' for me... fear of keyloggers and all that.

Re:Flawed system or flawed usage?

[bjourne]

It was not to hard to guess that that would be the very first response to this article. It is very typical for techies to expect users to use the system as the system was designed. That is not what happens in the real world. The usage of the system is equivalent to the system itself. If the usage of it is flawed, then the system, too, is flawed.

Many systems require you to change your password once a month or more often. Of course, the password must not be based on an English word and must contain both uppercase and lowercase letters and digits. Is it then a user failure when every other user forgets their password? No! It is the system that is faulty.

Therefore Bank of Americas system is faulty, most password based systems are infact faulty. It is not an acceptable excuse to put the burden on the user. It is a cop out. We are techies, we should make stuff work. It is our job.

Re:Flawed system or flawed usage?

[Tom]

Rule #1 of user interface design: The user is always right. If he does something wrong, thank him for pointing out a flaw in your interface.

Re:Flawed system or flawed usage?

[thebigbluecheez]

As a Bank of America customer, I have to tell you that you're not entirely correct here.

If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.

In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
What is your maternal grandmother's first name?
What is your maternal grandfather's first name?
In what city where you born?
What was the name of your first pet?
  and 5 more that I don't care to take the time to count.

After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.

That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.

What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions. /missed the aforementioned security classes //not an expert, just a user.

This could be solved...

[Gnissem]

If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.

meh - controlled environment?

[hashmap]

1. go to an unusual place,

2. sign an agreement form,

3. follow instructions that say: "Log into your account"

4. you're aware that people are watching you and will analyze what you did

whatever results they get do not prove anything other than:

People placed in a unfamiliar, controlled environment with Harvard scientists ogling at them will not check the security image.

h

Re:Sensationalist headline...

[jalefkowit]

The SiteKey isn't flawed, the people are.

People are, by definition, flawed. Any security system that is predicated on this changing sometime soon is broken.

Biased sample?

[ArsenneLupin]

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all. You may be on to something here. Maybe most people who they did ask refused to participate... phearing that the entire experiment might be a setup trying to get at their banking passwords.

The few that did participate where either excessively trusting or clueless, making them more likely to not worry about the missing image either.

In a word, they used a biased sample.