Boarding Pass Hacker Targets Bank of America

Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.

Bank of America?!?

This guy is going to get it.

Here's an example on how B of A does business:

This guy just wanted to check to see if a check was good!

You can bet B of A will go after this hacker guy.

original, though?

[rascher]

One thing I kind of want to say is that, while I agree that the SiteKey method isn't secure, it seems that most any kind of website can fall prey to this kind of MITM. With enough time, one could (with relative ease) write a bot that wraps around just about any website. (monitor the headers, cookies, GET/POST vars that are passed during a normal browser login, and then write a script that uses curl to emulate all of that and create a phishing site). I tend to think that at some point, any "necessary" security measures that could be taken to ensure someone's idenity would be inconvenient for the user or too expensive for the consumer.

Bank of America's security needs improvement

[testpoint]

Most Bank of America branches have open customer service centers. They consist of desks with no walls or partitions and a customer waiting area a few feet away. The first question after, "How may I help you?" is "What is your social security number". That is usually followed by, "And what can I do for you Mr./Ms. ______?"

Re:::sigh::

[dnahelix1]

Have you actually read his blog or talked to him? He sent a bunch of letters to people about the boarding pass hack before he posted it. He's documented everything on his blog, including all of his FOI requests, letters from his lawyer to the government etc.

Re:Crux

[toleraen]

What chance is there of being Spoofed if have no type of Trojan infection and type the correct URL?

vi C:\windows\system32\drivers\etc\hosts
i 192.168.1.100 www.mybank.com
:wq

Man in the middle and SecureID

[zerofoo]

I used to work for a bank and we looked at SecureID for all of our internet banking customers that could originate ACH (Automated Clearing House) transfers.

We realized that SecureID is also vulnerable to a man-in-the-middle attack. Since most people ignore invalid SSL certificates, anyone could put up a fake webpage and intercept the entire SecureID transaction. Once a successful login is permitted, the attacker can process bank transactions as the legitimate user.

SecureID is a nice way to augment passwords with a one-time password, and it does reduce the "attack window" due to the fact that the bad guy can not reuse your login credentials at a later time. SecureID does not eliminate the attack window...the attacker needs to process the fraudulent transactions during the legitimate user's session.

-ted

Maybe I'm ignorant or so

[zeddicus_from_bel]

Hmmm... after reading the article I have a stupid question popping up in head...
I live in Belgium and several banks here have switched to a card reader device
You just have to type in the number of your physical bank account card, then banks site generates a 8 digit passkey.
pop in your bank card, type in the generated passkey, type in your pin code and type in on the site the passkey the little device generates.

Voila... i'm banking... on any pc i want...
every time i make an online banktransfer, i have to repeat the above procedure

My wife hates it... she doesn't like that she has to type over these numbers, but i'm very happy with it.