Boarding Pass Hacker Targets Bank of America
Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.
Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.
Exactly. The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.