Slashdot Mirror
Boarding Pass Hacker Targets Bank of America
Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.
It's great to know this guy is still at it, despite getting raided by the FBI for the boarding pass hack. However, unless I'm mistaken banking stuff like this is under the auspices of the Secret Service, so this guy might want to set some extra places at the dinner table for a different group of goons.
Slashdot Burying Stories About Slashdot Media Owned
These authentication images seem to be one of these ideas that is based on the assumption that you only deal with one company.
Within the last six months, three banks and two brokerage houses I use have all gone to the use of these authentication images. In each case, the only way to select the image is to go through slow-loading screen after slow-loading screen of apparently random images.
I can choose my own password, but it is virtually impossible to "choose" my image, so they're not very memorable to me. I certainly can't choose the same image at all five sites, which is what I'd like to do. (That's insecure for a password, but I don't think it's insecure for an authentication image; it's not as if one bank were going to try to pretend to be a different bank).
One of them also wants you to give them a little phrase that goes below the picture. Ah, I thought, I'll use my phrase to describe the picture, that way I'll know if the picture is incorrect. Wrong, I couldn't do it. I had to enter the phrase before I got to choose the picture. Well, I thought, OK, I'll just change it. The picture was of (let's say) soccer ball. So I went to the screen that lets you change your passwords and personal information, entered "soccer ball" as my phrase... and was then taken to a screen where I was required to select a picture, again. And the soccer ball wasn't one of the choices. I clicked through about ten screens of five-by-five pictures trying to find the soccer ball and couldn't find it. Was it just because they were randomly selecting from a huge collection of images? Or do they actually enforce changing the image? I don't know. All I know is that I now am supposed to remember my password AND the phrase "soccer ball" AND a picture of a kangaroo.
If the picture were wrong, would I notice? I might have a vague sense of unease, but I wouldn't be sure. Not unless I wrote them all down.
"How to Do Nothing," kids activities, back in print!
This is an obvious attack against the BoA authentication system. Anybody with basic knowledge of networking, authentication systems and phishing
u rityskins.pdf, which uses http://en.wikipoaedia.org/wiki/Secure_remote_passw ord_protocol and must have realized that this would cost them a W amount of money. Note that such a solution would require BoA to create new SSL protocols that would have to be installed on the client machines, not only their own servers. Also note, that such a solution is not stupid-user-proof either. However, we can safely say that W > X (perhaps even W >> X).
:)
methods should be able to figure out almost immediately how to defeat this system.
At first, I myself was also very critical of BoA's new anti-phishing technique. However, after some more careful consideration, I realized it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves. Unlike security researchers (including moi), which usually try to create bulletproof security systems so they can right interesting papers with indisputable arguments, financial organizations are constrained by the very real issue of cost-efficiency.
Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks. BoA's security team must have figured out that it would cost them X amounts of money to defend against classic phishing attacks and by preventing those they would save Y money. They must have also considered solutions like the ones presented in http://people.deas.harvard.edu/~rachna/papers/sec
By using such a solution they could perhaps save Z > Y amounts of money because much less users would fall victims to phishing attacks. It is very likely that they did the math. Because they chose to go with the current solution, it is very likely that Y-X > Z-W
The only thing that BoA should perhaps correct is the statement:
"If you recognize your SiteKey, you'll know for sure that you
are at the valid Bank of America site. Confirming your SiteKey is
also how you'll know that it's safe to enter your Passcode and click the Sign In button."
This is over-claiming and could have a harmful impact by making its web users dropping their defenses against phishing. I am sure however that their marketing dpt told them that they need to advertise this security feature as completely robust, otherwise users would feel that they are going through unnecessary trouble: "if BoA's system is still insecure, why did BoA bother changing it and why do I need to incur the delay to learn it and enter login information twice?"
Disclaimer: I do not work for BoA and I have no vested interest in supporting them. In fact, I hate their guts for their penalty fees policies
Why don't the banks just issue digital certificates for their users and provide a secure way to download them? Then you could use the cert and a password to authenticate.. no MITM attacks due to the cert, difficult to impersonate.
"If the text just before the 3rd slash in the address bar is bankofamerica.com, you'll know for sure that you are at the valid Bank of America site."
Wouldn't it be nice if you could give someone (e.g. PayPal, known by some for removing money back out as fast as they put it in) Deposit-Only account numbers. Like the Roach Motel, the money checks in, and it don't check out.
Or Limited Transfer Out numbers. (Allow AOL, and AOL only, to automatically debit monthly payments for amounts not exceeding your monthly bill, and only valid for 6 transactions before you give them a new number.)
Personal Checks, each one of which has a One Time Only account number on it that is worth nothing to a thief who tries to forge a hundred duplicates of the check you just gave him.
The archaic current system could, I believe, be made much more secure by this simple change alone.
Note to IP thieves: This constitutes Prior Art, and you're not allowed to patent it now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Check out a message my bank just sent about their upcoming authentication change:
"At National City, we are committed to the privacy of your personal information. Therefore, over the next several months we will be increasing the level of security used to perform online transactions.
Effective Sunday, April 22 it will be necessary for you to input your Log-In ID and Password on two consecutive screens rather than one single screen as today. This change will affect users who log in from the NationalCity.com homepage and the Online Banking Login Page.
Thank you for choosing National City for your financial needs."
So they want us to input the exact same username and password on two consecutive screens, and somehow think that is increasing security?
Many europeans banks now gives you a physical device. You must enter your PIN in the device then give back the generated number to log in. This is still vulnerable to MITM attacks. But when you're transferring a huge amount of money, you must enter the account number of the account you want to transfer money to. This, if done correctly, is approaching perfection. There could still be complete fool mislead by a MITM: the fake bank site asks to enter another account number on the physical device... However bank customers could be trained to only enter the the account they want to pay money to, which could also be emphasized by having a button on the physical device labelled "ONLY ENTER THE BANK ACCOUNT NUMBER YOU WANT TO PAY MONEY TO" (these devices tend to have a few buttons anyway, for different types of challenge). After entering the bank account number you want to pay to, the device gives you back a security that you transmit to the bank. You ain't cheating such a scheme unless you've got physical access to the device. So you ain't attacking a bank using such a scheme on a big scale. This is "good game lowlifes".
Completely wrong. It takes one line of javascript to open a link with no referer sent. Not rocket science.
:) explaining the access and where it is being made from. They will need to reply to the message before the login can continue from that IP. I mean, if I always access my online banking from 2 specific IP blocks, then one day try to access it from the other side of the country, I'd expect a red flag to go up - especially if I'd accessed it on old IP only 6 hours previously.
:)
If I were bofa, I would be looking at browser quirks, and using those to authenticate the HTTP_USER_AGENT environment variable. Browser says that they're IE? include a little activeX that only works in IE and examine output, or send some javascript. For each browser, set up a suite of these hacks and serve a few with each page. If the browser doesn't respond with the correct output of the quirk (pipeped into a form field via javascript, say), then assume browser is just a script with the UA set. That would kill about 90% of phishing attacks.
I would also look at login patterns and route all login page requests through an analyzing proxy that notes the IP address, User Agent, probable physical location and whether it has been used to access the account previously. Then, if a particular IP or User Agent requests a login that is suspicious, send an SMS message to the account owner (who would need their cell number on file fdirst, obviously
Not bulletproof, but damn close.
At my last job, we used a similar system to analyze FTP access to half a million accounts. It made catching script kiddies a hell of a lot easier
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
The first time I saw it, I figured my box was compromised and didn't type anything. After confirming its presence on a known-clean box, I saw the same thing. I contacted (via meatspace visit to my local branch and) confirmed that my box wasn't compromised and that this is by design, and the excuse for it was that BofA was having so damn many problems with its users who couldn't understand SiteKey that they had to provide a link to a customer "support" organization. What. The. Fuck.
I have accounts with three financial institutions. All three use Passmark.
All three ask me to pick a common object and give it a name.
Of course I'm going to call it what it is.
Calling it something obtuse makes the whole thing harder to keep track of.
Each one asks me up to 6 security questions.
These are in case my computer gets "unregistered" or if I try to get to an account from not-my-computer.
They're not all the same. The answers are not one-word slam dunks. If they were, they would be no good.
Because they're not easy and obvious, I have to remember up to 18 obtuse answers.
If I get one wrong, even by one character, I'm kicked off until I call someone.
The banks claim this is a government law that makes them do this.
Please don't say "get one bank".
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."