Slashdot Mirror


Boarding Pass Hacker Targets Bank of America

Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.

1 of 160 comments (clear)

  1. Re:Crux by slashdotmsiriv · · Score: 5, Interesting

    This is an obvious attack against the BoA authentication system. Anybody with basic knowledge of networking, authentication systems and phishing
    methods should be able to figure out almost immediately how to defeat this system.

    At first, I myself was also very critical of BoA's new anti-phishing technique. However, after some more careful consideration, I realized it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves. Unlike security researchers (including moi), which usually try to create bulletproof security systems so they can right interesting papers with indisputable arguments, financial organizations are constrained by the very real issue of cost-efficiency.

    Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks. BoA's security team must have figured out that it would cost them X amounts of money to defend against classic phishing attacks and by preventing those they would save Y money. They must have also considered solutions like the ones presented in http://people.deas.harvard.edu/~rachna/papers/secu rityskins.pdf, which uses http://en.wikipoaedia.org/wiki/Secure_remote_passw ord_protocol and must have realized that this would cost them a W amount of money. Note that such a solution would require BoA to create new SSL protocols that would have to be installed on the client machines, not only their own servers. Also note, that such a solution is not stupid-user-proof either. However, we can safely say that W > X (perhaps even W >> X).

    By using such a solution they could perhaps save Z > Y amounts of money because much less users would fall victims to phishing attacks. It is very likely that they did the math. Because they chose to go with the current solution, it is very likely that Y-X > Z-W

    The only thing that BoA should perhaps correct is the statement:
    "If you recognize your SiteKey, you'll know for sure that you
    are at the valid Bank of America site. Confirming your SiteKey is
    also how you'll know that it's safe to enter your Passcode and click the Sign In button."

    This is over-claiming and could have a harmful impact by making its web users dropping their defenses against phishing. I am sure however that their marketing dpt told them that they need to advertise this security feature as completely robust, otherwise users would feel that they are going through unnecessary trouble: "if BoA's system is still insecure, why did BoA bother changing it and why do I need to incur the delay to learn it and enter login information twice?"

    Disclaimer: I do not work for BoA and I have no vested interest in supporting them. In fact, I hate their guts for their penalty fees policies :)