Slashdot Mirror
Boarding Pass Hacker Targets Bank of America
Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.
This is the loophole that we use in our demonstration. Through deceit, we convince the user to enter her security question, and thus get the SiteKey image.
No matter what kind of security system you devise, you cannot take out the human element. The Internet seems like magic to people - it knows them, it knows things about them, people can find them from all over the planet. The average user is not curious enough to learn how this is accomplished, paranoid enough to distrust anything at first glance, or savvy enough to protect themselves. Bank of America is kidding itself if it thinks the SiteKey is any kind of deterrent to a hacker.
GetOuttaMySpace - The Anti-Social Network
users don't pay attention to the SiteKey pictures
Picture? what picture?
That tactic has been around for about a year now, that's worth a story?
How about trojans that change your order, send the bogus order to the bank while displaying the one you entered instead? Or... wait, that's been around for about 6 months now, too.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's great to know this guy is still at it, despite getting raided by the FBI for the boarding pass hack. However, unless I'm mistaken banking stuff like this is under the auspices of the Secret Service, so this guy might want to set some extra places at the dinner table for a different group of goons.
Slashdot Burying Stories About Slashdot Media Owned
Here's an example on how B of A does business:
This guy just wanted to check to see if a check was good!
You can bet B of A will go after this hacker guy.
All of my financial websites (bank, credit cards, etc.) have all gone to "two-factor" authentication.
Most often, the second factor is "security questions", like "what city were you born in?" and "what's your favorite restaurant?" I always answer these with random passwords, which I put in my password safe along with the real password. Unless you do that, these are actually less secure than just having a secondary password, because others can find out that stuff.
I know every business wants to do this cheaply and half-assed; it's the American Business Way. To do it "right" would probably take SecurID's or somesuch other token, which would get ugly for the customer after accumulating a couple of dozen different ones.
I've heard in comments here about banks that send you a list of code numbers, one-time-use, in the postal mail, and you use them up as you log in. That would be a good, cheap way to do two-factor that actually increases security.
The core problem of online banking is that the bank has to implicitly trust an untrustworthy system, using insecure protocols. The bank has no way to verify that the system used at the other end has not been tampered with and they cannot verify that the data sent to them is identical with the data entered by the user.
You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
for a SuperHacker not a Boarding Pass Hacker.....
I think the BoA sitekey is definitely one step above username/password on the front page. However, I agree that while it provides an added SENSE of security, it can make people trust something more that they really can't trust any more. When it was released, I did almost exactly what this guy did just to see if it would work. I was not terribly surprised that I could create a wrapper to retrieve the sitekey picture and words while still intercepting the passcode. It was actually pretty easy. Unlike the study about the people who ignored their sitekey, I do pay attention to it. However, I also pay attention to whether I'm really on BoA. I never go there from a link in an email. While someone could still redirect my request for BoA to somewhere else, I also practice safe browsing practices that at least limit that potential issue on MY computer. The convenience of online banking is just too high for me to NOT use it.
When are companies gonna get smart and actually HIRE this fucker?
Someone is bound to do it eventually...I can assure you all if a company does not buy him up soon, the government will.
Living With a Nerd
He's pointing out that most of the psychological reassurances (the security blankets, we might ball them) that are presented to customers/consumers/flyers/etc... are just that--psychological reassurances.
We'd better be careful. This kid is dangerous. He could dismantle our entire society! Wait to see what happens when he points out that money is fictitious.
The summary is not quite correct. It's not so much that the SiteKey is being bypassed, as that the attacker is able to get their hands on the user's SiteKey. They can only do this by getting the user's password and security code, which they do with a conventional man-in-the-middle attack. Once they've got that, getting the SiteKey seems the least of their worries.
The obvious problem with SiteKey is the chicken-and-egg problem of getting the image to the server in the first place. There's some step where you're communicating in a fashion where you trust the server enough to give them your SiteKey, which they later show back to you. It's tied to a single computer, via a cookie, so if you log in from a different computer you need to send a new SiteKey or get them to send yours back to you, on the new computer.
So this attack only works if you can get the user to give up not only the password but also the "security question" (one of the dumbest bits of security I've ever seen; it's like a password only you can look it up.) Easy enough, if the user isn't alert (and they usually aren't.)
SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."
Apparently by one of BoA's competitors.
LIVE, Love, die
I wish banks would offer something like SecurID for authenticating with their site. They seem to be in the process of adding on layers and layers of crap, without adding any actual security. I'd rather have a couple dozen secure IDs over having to carry around half a dozen one-time-pads around. Ideally, you'd only need one securID for each account. Which for most people is probably 3. Chequing, Savings, Credit Card. If you have more accounts than that, you're probably in the minority. I guess i'm not of the crowd that has 7 credit cards though. I have 1, and It's accepted just about everywhere. So I don't have a need for more than 1. I'd rather have a couple extra dongles hanging from my keychain than having to worry about someone hacking my account. I'd happily pay for the SecurID if only the option were available.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
These authentication images seem to be one of these ideas that is based on the assumption that you only deal with one company.
Within the last six months, three banks and two brokerage houses I use have all gone to the use of these authentication images. In each case, the only way to select the image is to go through slow-loading screen after slow-loading screen of apparently random images.
I can choose my own password, but it is virtually impossible to "choose" my image, so they're not very memorable to me. I certainly can't choose the same image at all five sites, which is what I'd like to do. (That's insecure for a password, but I don't think it's insecure for an authentication image; it's not as if one bank were going to try to pretend to be a different bank).
One of them also wants you to give them a little phrase that goes below the picture. Ah, I thought, I'll use my phrase to describe the picture, that way I'll know if the picture is incorrect. Wrong, I couldn't do it. I had to enter the phrase before I got to choose the picture. Well, I thought, OK, I'll just change it. The picture was of (let's say) soccer ball. So I went to the screen that lets you change your passwords and personal information, entered "soccer ball" as my phrase... and was then taken to a screen where I was required to select a picture, again. And the soccer ball wasn't one of the choices. I clicked through about ten screens of five-by-five pictures trying to find the soccer ball and couldn't find it. Was it just because they were randomly selecting from a huge collection of images? Or do they actually enforce changing the image? I don't know. All I know is that I now am supposed to remember my password AND the phrase "soccer ball" AND a picture of a kangaroo.
If the picture were wrong, would I notice? I might have a vague sense of unease, but I wouldn't be sure. Not unless I wrote them all down.
"How to Do Nothing," kids activities, back in print!
The RIAA needs to hire this guy to make drawings for them.
Most often, the second factor is "security questions", like "what city were you born in?" and "what's your favorite restaurant?"
That isn't two-factor authentication. That is something you know and something else you know. Two-factor requires something you now, and something you have (a smart card, onetime password, RSA SecurID fob, etc.). (Not blaming you, simply pointing out how lame most businesses are).
I'm no fan of how they do business(basically, the second they got big enough they started pissing on the small account customers that they built their business with), but E*Trade will give you a security dongle if you want:
a geName=cpg
https://us.etrade.com/e/t/jumppage/viewjumppage?P
Nerd rage is the funniest rage.
One thing I kind of want to say is that, while I agree that the SiteKey method isn't secure, it seems that most any kind of website can fall prey to this kind of MITM. With enough time, one could (with relative ease) write a bot that wraps around just about any website. (monitor the headers, cookies, GET/POST vars that are passed during a normal browser login, and then write a script that uses curl to emulate all of that and create a phishing site). I tend to think that at some point, any "necessary" security measures that could be taken to ensure someone's idenity would be inconvenient for the user or too expensive for the consumer.
That doesn't seem all that secure to me...
Xaotik Designs
Just picture a kangaroo playing soccer ..
davecb5620@gmail.com
Most Bank of America branches have open customer service centers. They consist of desks with no walls or partitions and a customer waiting area a few feet away. The first question after, "How may I help you?" is "What is your social security number". That is usually followed by, "And what can I do for you Mr./Ms. ______?"
I spent a couple days going back and forth with the folks at my bank about this. I was trying to get them to explain how these security questions were any better than a password. These security questions are worse than a password because people who know something about you can figure them out. So it's no better than having 2 passwords. Having 2 passwords is fundamentally equivalent to having one password that's twice as long, and since there's not any limit on the length of passwords, it's not any better than just having one password that's suitably long.
In the end, they just said they were mandated by the federal government to do this. Does anyone know if this is true? What item in law mandates this?
Give me Classic Slashdot or give me death!
The security is still none. A simple BHO that sits between you and your connection will laugh about it and shrug it off as pointless.
What makes it worse is that people think there's some additional security and might get careless as long as they think the key is secure. Think airbags and the fallacy that you can take a higher risk 'cause you're safer now.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why don't the banks just require that the referrer to a login page be blank. Yes, this would mean that the login page would have to be either on the main page or very simple to type since the only way a (normal) user will have a blank referrer will be to type the url in.
Essentially this means that banks would be requiring everyone to physically type (or bookmark) their banks login page and that would be the ONLY way to get there. I suppose it could be modified to accept a referrer of the banks own domain so you could click a "Login Here" button.
I know power users can spoof their referrer using a browser setting and malware could do the same, but at least that would be another layer. What am I missing here?
!hoD
Proof by very large bribes. QED.
I've been back and forth about severing my relationship with Bank of America ever since they started charging me bogus fees. Sure, they correct them after I point them out, but it is a waste of my time.
This pushed me over the edge. The fact that they humiliated an innocent man like that and then refused to even help him clear his name afterwards is reprehensible.
I am finished banking at Bank of America.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
>In the end, they just said they were mandated by the federal government to do this. Does anyone know if this is true? What item in law mandates
>this?
I doubt it is specific to that one item. My guess would be, Federal Law required them to seek and receive approval for their plans before they put an online banking system in place; then they contracted to have it built, and that was a project that lasted for years. In order to make the change you want, they would have to go through a long complex process. So instead, they need to get rid of YOU.
-fb Everything not expressly forbidden is now mandatory.
Why don't the banks just issue digital certificates for their users and provide a secure way to download them? Then you could use the cert and a password to authenticate.. no MITM attacks due to the cert, difficult to impersonate.
Bank of America tends to forget my computer after a period of time (usually a few weeks) for whatever reason. Consequently, I'm used to having to re-auth without Sitekey, which makes me more vulnerable to phishing. Compare this to Yahoo's system, which remembers your computer pretty much indefinitely and also allows a unique user-uploaded image for each computer.
Wouldn't it be nice if you could give someone (e.g. PayPal, known by some for removing money back out as fast as they put it in) Deposit-Only account numbers. Like the Roach Motel, the money checks in, and it don't check out.
Or Limited Transfer Out numbers. (Allow AOL, and AOL only, to automatically debit monthly payments for amounts not exceeding your monthly bill, and only valid for 6 transactions before you give them a new number.)
Personal Checks, each one of which has a One Time Only account number on it that is worth nothing to a thief who tries to forge a hundred duplicates of the check you just gave him.
The archaic current system could, I believe, be made much more secure by this simple change alone.
Note to IP thieves: This constitutes Prior Art, and you're not allowed to patent it now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Check out a message my bank just sent about their upcoming authentication change:
"At National City, we are committed to the privacy of your personal information. Therefore, over the next several months we will be increasing the level of security used to perform online transactions.
Effective Sunday, April 22 it will be necessary for you to input your Log-In ID and Password on two consecutive screens rather than one single screen as today. This change will affect users who log in from the NationalCity.com homepage and the Online Banking Login Page.
Thank you for choosing National City for your financial needs."
So they want us to input the exact same username and password on two consecutive screens, and somehow think that is increasing security?
After reading the headline "Boarding Pass Hacker Targets Back of America" I couldn't help but wonder what sort of bank would let someone take money out of an account using only a Boarding Pass as their form of I.D.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
Having 2 passwords is only equivalent to having one password twice as long if you have to input them both before finding out that they're wrong, and it doesn't tell you which one is wrong.
If I have to guess the first password before given the opportunity to guess the second password, it's just twice as hard as guessing a single password.
dom
I used to work for a bank and we looked at SecureID for all of our internet banking customers that could originate ACH (Automated Clearing House) transfers.
We realized that SecureID is also vulnerable to a man-in-the-middle attack. Since most people ignore invalid SSL certificates, anyone could put up a fake webpage and intercept the entire SecureID transaction. Once a successful login is permitted, the attacker can process bank transactions as the legitimate user.
SecureID is a nice way to augment passwords with a one-time password, and it does reduce the "attack window" due to the fact that the bad guy can not reuse your login credentials at a later time. SecureID does not eliminate the attack window...the attacker needs to process the fraudulent transactions during the legitimate user's session.
-ted
Why not lock down the .htaccess so images are only returned to the BofA server and no one else? Seems simple enough.
-Those who know do not say, Those who say do not know
Many europeans banks now gives you a physical device. You must enter your PIN in the device then give back the generated number to log in. This is still vulnerable to MITM attacks. But when you're transferring a huge amount of money, you must enter the account number of the account you want to transfer money to. This, if done correctly, is approaching perfection. There could still be complete fool mislead by a MITM: the fake bank site asks to enter another account number on the physical device... However bank customers could be trained to only enter the the account they want to pay money to, which could also be emphasized by having a button on the physical device labelled "ONLY ENTER THE BANK ACCOUNT NUMBER YOU WANT TO PAY MONEY TO" (these devices tend to have a few buttons anyway, for different types of challenge). After entering the bank account number you want to pay to, the device gives you back a security that you transmit to the bank. You ain't cheating such a scheme unless you've got physical access to the device. So you ain't attacking a bank using such a scheme on a big scale. This is "good game lowlifes".
One way that it might make it more secure for you would be if you have a set of three or more 'secondary' passwords.
Maiden's Mother, pet, highschool, etc...
That way the phisher, even if he gets your primary password still has to hope he gets enough of the secondaries to get the one that pops up when he tries to access the system.
Sometimes in the military we have a set of 'challange phrases' and 'response phrases' that have to match up or alarms happen. That way somebody trying to fool the system can't just listen to the guy before him to get the correct answer, because it's different each time.
I don't read AC A human right
Hell, even Paypal offers a secureID for less than $10/ securitycenter/general/PPSecurityKey-outside
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps
Completely wrong. It takes one line of javascript to open a link with no referer sent. Not rocket science.
:) explaining the access and where it is being made from. They will need to reply to the message before the login can continue from that IP. I mean, if I always access my online banking from 2 specific IP blocks, then one day try to access it from the other side of the country, I'd expect a red flag to go up - especially if I'd accessed it on old IP only 6 hours previously.
:)
If I were bofa, I would be looking at browser quirks, and using those to authenticate the HTTP_USER_AGENT environment variable. Browser says that they're IE? include a little activeX that only works in IE and examine output, or send some javascript. For each browser, set up a suite of these hacks and serve a few with each page. If the browser doesn't respond with the correct output of the quirk (pipeped into a form field via javascript, say), then assume browser is just a script with the UA set. That would kill about 90% of phishing attacks.
I would also look at login patterns and route all login page requests through an analyzing proxy that notes the IP address, User Agent, probable physical location and whether it has been used to access the account previously. Then, if a particular IP or User Agent requests a login that is suspicious, send an SMS message to the account owner (who would need their cell number on file fdirst, obviously
Not bulletproof, but damn close.
At my last job, we used a similar system to analyze FTP access to half a million accounts. It made catching script kiddies a hell of a lot easier
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
If anyone ever figures out a way pull a "Man in the Middle" on the Windows Update Service, then, to quote "Dandy" Don Meredith: Turn out the lights, the party's over.
Looking at what banks can do to improve security:
- Stop putting the "lock" icon on your login form. Users should look for the lock on the toolbar or part of browser frame. (chase.com, others)
- Stop using non secure login pages (not where the login form is being submitted to) (chase.com, usbank.com, wachovia.com)
- Stop using marketing emails from strange marketing addresses. This just gets people used to bank emails from weird places.
- Make a secure bookmarkable banking page. (my bank does not do this, I get an error screen if going to bookmark)
- Simplify navigation and operation and unify systems. (my bank does not do this, if I log out on one part of the site, I'm not logged out from the "very secure" part)
Bank sites driven by marketers
-- these are only opinions and they might not be mine.
I have said for a long time now, that the systme in place is faulty, because they cant verify the person at the other end. If however they had in place that the online inof does not get access to a special bank of phone numbers designed to be used per purchase....at the time of purchase you receieve a call from visa or the bank in question saying you have made some transactions or purchases online for such items, is this correct....then this would solve almost evrything, except it would cost the banks enormous amounts of money, which would then trickle back down to bigger costs and fees for a bank account of which we did not have any fees as far back as 20 years ago ( here in canada...dont know about all other places).
Everybody is greedy, so I guess if I make no money, no one will bug me!
In the end, they just said they were mandated by the federal government to do this. Does anyone know if this is true? What item in law mandates this?
That's a lie, because I know for a fact that not all banks (including some major national chains) use them. Which is fine by me, I'm happy to take responsibility for my own security by choosing strong a password and verifying the SSL cert before I log in.
I have accounts with three financial institutions. All three use Passmark.
All three ask me to pick a common object and give it a name.
Of course I'm going to call it what it is.
Calling it something obtuse makes the whole thing harder to keep track of.
Each one asks me up to 6 security questions.
These are in case my computer gets "unregistered" or if I try to get to an account from not-my-computer.
They're not all the same. The answers are not one-word slam dunks. If they were, they would be no good.
Because they're not easy and obvious, I have to remember up to 18 obtuse answers.
If I get one wrong, even by one character, I'm kicked off until I call someone.
The banks claim this is a government law that makes them do this.
Please don't say "get one bank".
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
I have a dim memory of seeing that in the geek news somewhere a while back. I assumed that's why the financial corps were implementing these measures.
[/me digs...] Here we go: U.S. Regulators Require Two-Factor Authentication for Banks
One of the commenters to that post says that the regulators did not blindly require two-factor authentication, though that's how a lot of folks interpreted it (including, I bet, some banks). However, it seems like they can implement "security questions" or somesuch and say "look, we're compliant with these new regulations."
it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves.
I agree. In fact, I would go further and say that the author of this blog should actually be quite embarassed and ashamed of this post. His "amazing discovery" is actually the whole point of sitekey. Yes, you can be a man in the middle and get the sitekey images yourself. Congratulations. You and everyone else already thought of that.
And guess what, your man-in-the-middle now has to make a sitekey request to bank of american for *every potential victim* and as a result, BoA will easily identify your IP block as running a MITM scheme.
So in other words, this blogger is an idiot. He hasn't defeated sitekey at all. Set up a MITM site, make ten requests, and now you're out of business and the ten accounts that you phished are locked.
I know every business wants to do this cheaply and half-assed; it's the American Business Way. To do it "right" would probably take SecurID's or somesuch other token, which would get ugly for the customer after accumulating a couple of dozen different ones.
The stupid thing is that they already have given me one of these things. My bank has given me credit cards and debit cards that have 2 factor authentication already in them. It takes 1) the card and 2) a PIN to use said card. (Yes, I know that the magnetic info on credit/bank cards is not secure, but...)
The thing that sucks is that there is no standard 2 factor thing that interfaces with computers yet.
Things like smart cards, have been around for over a decade. They come in the same form factor and look like tokens we use every day, and we can use them in tons of ways, but just not yet.
I've posted a possible solution to this kind of thing on my blog:u al-authentication/
./ folks thoughts on my solution.
http://www.jamesward.org/wordpress/2007/02/05/mut
I'd love to hear the
I'll counter your anecdote with one of my own. I've used my BOA Visa check card, Visa credit card, and MasterCard credit card extensively for the past two years. That's included travel to multiple foreign countries (admittedly all European or North American), ATM withdrawals in unusual places, multiple high dollar ATM withdrawals in the same day/hour, charges to obscure Russian credit card broker websites, periods of inactivity followed by bursts of large amounts of travel related purchases, etc. Not once has a single of my BOA cards been suspended due to suspected fraud.
I don't know if I'm just really lucky, or if your luck stinks.
In fact, BOA has been the most lax about calling regarding fraud as far as I'm concerned. I've had all of my other credit card companies call one time or another - never have they just suspended the card, though.
The "possible solution" you posted on your blog is the very same technology that we developed this phishing MiTM attack against.
The technology is called Passmark. It's made by RSA, and licensed to a lots and lots of financial firms. This is primarily due to the fact that it is far cheaper to roll out than a real SecureID token. Although, to be fair, SecureID tokens can be man in the middle'd too. However, a SiteKey/Passmark MiTM is far worse, as the attacker can login to your bank account later - instead of only having one time access with the SecureID. In any case....
Your blog post merely explains how one signs up for Passmark/Sitekey. It is not a solution to the problem, but is the very security system that we bypass with our project.
Please read the blogpost (the very subject of this slashdot thread), and watch the video. You will see striking similarities between the Bank of America authentication scheme and the one you post about.
Cheers
Chris
Well, I was at BofA yesterday, and noticed they are using Windows machines. In my mind that means that none of the $23.62 that I have in the bank is at all secure. I'm losing sleep tonight!
The sad irony is that my teller CLAIMED that they use the same computer security as the FBI and the CIA. My response was, "No WONDER we're losing the war!"
rhY
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
They'd have to also get Microsoft's signing key, for the same reason I'm not afraid to download non-public hotfixes from sketchy websites.
Every time I read a report on online phishing I wonder why banks (and other secure sites) don't apply a very simple almost 100% proof solution that will eliminate phishing, AND make life easier for the end user.
The solution is simple: Issue each client a tamper-proof USB dongle with a private key, similar to the smart cards you have in your cable boxes. When visiting the bank's website, the Browser/OS/USB dongle itself will ask the user for a PIN. Like ATMs, the dongle can lock out if the PIN is keyed in incorrectly too many times.
When the dongle confirms the PIN, it will conduct a Zero-Knowledge proof protocol that will prove the client's identity to the bank and simultanously generate a common session key, all without devulging any information. A man-in-the-middle attacker will be missing the session key or will not have any information required to prove its identity to the real bank site.
No password of any kind is transferred on the wire, encrypted or otherwise.
The only way around this kind of system is to have a trojan on the client's machine. In thsese cases, some OS features may be used to prevent the trojan from interacting with the dongle and PIN.
Client education is also easier: There is a physical object that serves as a key to your account, compound with a PIN. Exactly as with ATM cards. You know if your dongle is stolen (and it may not be duplicated), and in any case it's not usable without a PIN.
Make even shorter URLs - 8LN.org
Hmmm... after reading the article I have a stupid question popping up in head...
I live in Belgium and several banks here have switched to a card reader device
You just have to type in the number of your physical bank account card, then banks site generates a 8 digit passkey.
pop in your bank card, type in the generated passkey, type in your pin code and type in on the site the passkey the little device generates.
Voila... i'm banking... on any pc i want...
every time i make an online banktransfer, i have to repeat the above procedure
My wife hates it... she doesn't like that she has to type over these numbers, but i'm very happy with it.
Thanks for playing. The worst offender of the trio *IS* my credit union.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
I store my password in my password manager (firefox) that way if it's filled in, I'm shure that I'm on the right site.
I'm quite annoyed by yahoo that they disable this feature so I have to type the password in each time, and it already happened that I got phished because of that.
The password manager offers the same protection than SiteKey because it's also linked to the browser. But it is more convenient. Just forget your password and if it's not filled in automatically it can't be phished. I came across many paypal and ebay phishing sites and this method protected me effectively.
Atari rules... ermm... ruled.
When my bank starting doing this I set my secret key word to "thisisnotsecurity" ... to remind myself just in case I ever forgot how rediculous these schemes are.
:)
Making people feel safe is a real part of the problem. In the same class as MS's endless stream of security warnings. People either make unwarranted assumptions or stop caring.
I still laughed my ass off watching the video
Two factor is not just two different sets of things that you know... There are
1. Things that you know (passwords, other security questions)
2. Things that you have (tokens, one time pads)
3. Things that you are (biometric details)
Your banks are just asking more questions, not actually implementing two factor authentication.
For all of my business banking I have a device similar to an RSA SecureID token. That's PROPER two factor authentication
is the only real solution, hard-wired to only connect to the bank (checks via one-time pad and similar arrangements).
Since the browser won't even connect if the server can't answer, there are no display issues.
The browser and one-time pads are distributed at a physical branch office, probably on CD, probably written in Java.
The fact that you can trivially MITM SiteKey is just as obvious as the fact anyone with a 59 cent inkjet printer can trivially print out counterfeit boarding passes.
His point was not to say, "Look at me! Look at me! I'm so smart! I can defeat your security!" at all.
His point is to say, "Look at you! Look at you! You keep saying you're adding security measures, but you're not adding any real security! And I know nobody will listen to me without a proof of concept, so here it is!"
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock