Boarding Pass Hacker Targets Bank of America

Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.

Crux

[Billosaur]

Why does BoA allow users to get access to their SiteKey image after answering her security questions? The reason is simple. Normally, BoA knows to present the right SiteKey image to a user because it recognizes the computer that user logs in from as belonging to the user in question. This is done using secure cookies. But what happens if there are no cookies? Say that the user wants to log in to her BoA account from a computer that she has not successfully used to connect to BoA's website with before. Before sending the SiteKey image to the user, BoA will require the user to provide some evidence of her identity - the answers to the security questions. Once BoA receives these, and has verified that they are correct, then it will send the user's SiteKey image to the user. That allows the user to verify that it is really communicating with BoA, and not an impostor, which in turn, provides the user with the security to enter her password.

This is the loophole that we use in our demonstration. Through deceit, we convince the user to enter her security question, and thus get the SiteKey image.

No matter what kind of security system you devise, you cannot take out the human element. The Internet seems like magic to people - it knows them, it knows things about them, people can find them from all over the planet. The average user is not curious enough to learn how this is accomplished, paranoid enough to distrust anything at first glance, or savvy enough to protect themselves. Bank of America is kidding itself if it thinks the SiteKey is any kind of deterrent to a hacker.

Re:Crux

Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.

Re:Crux

[mypalmike]

Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.

Exactly. The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

Re:Crux

[slashdotmsiriv]

This is an obvious attack against the BoA authentication system. Anybody with basic knowledge of networking, authentication systems and phishing
methods should be able to figure out almost immediately how to defeat this system.

At first, I myself was also very critical of BoA's new anti-phishing technique. However, after some more careful consideration, I realized it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves. Unlike security researchers (including moi), which usually try to create bulletproof security systems so they can right interesting papers with indisputable arguments, financial organizations are constrained by the very real issue of cost-efficiency.

Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks. BoA's security team must have figured out that it would cost them X amounts of money to defend against classic phishing attacks and by preventing those they would save Y money. They must have also considered solutions like the ones presented in http://people.deas.harvard.edu/~rachna/papers/secu rityskins.pdf, which uses http://en.wikipoaedia.org/wiki/Secure_remote_passw ord_protocol and must have realized that this would cost them a W amount of money. Note that such a solution would require BoA to create new SSL protocols that would have to be installed on the client machines, not only their own servers. Also note, that such a solution is not stupid-user-proof either. However, we can safely say that W > X (perhaps even W >> X).

By using such a solution they could perhaps save Z > Y amounts of money because much less users would fall victims to phishing attacks. It is very likely that they did the math. Because they chose to go with the current solution, it is very likely that Y-X > Z-W

The only thing that BoA should perhaps correct is the statement:
"If you recognize your SiteKey, you'll know for sure that you
are at the valid Bank of America site. Confirming your SiteKey is
also how you'll know that it's safe to enter your Passcode and click the Sign In button."

This is over-claiming and could have a harmful impact by making its web users dropping their defenses against phishing. I am sure however that their marketing dpt told them that they need to advertise this security feature as completely robust, otherwise users would feel that they are going through unnecessary trouble: "if BoA's system is still insecure, why did BoA bother changing it and why do I need to incur the delay to learn it and enter login information twice?"

Disclaimer: I do not work for BoA and I have no vested interest in supporting them. In fact, I hate their guts for their penalty fees policies :)

Re:Crux

[toleraen]

What chance is there of being Spoofed if have no type of Trojan infection and type the correct URL?

vi C:\windows\system32\drivers\etc\hosts
i 192.168.1.100 www.mybank.com
:wq

Re:Crux

[hackstraw]

The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

The deceit is simply a man in the middle attack, and we all know this is not a new thing.

I'm a BOA customer, and I've been upset with their security for years, but it keeps getting better, which is kindof a problem in itself.

Some history here. BOA's main website: http://www.bankofamerica.com/ was only recently redirected to a https server. In fact, until recently if you even typed https://www.bankofamerica.com/ you got an error message. Before doing the basic thing like moving the http server to a https server, they introduced this site key junk.

OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.

When I go to a supposedly real BOA branch on say Main Street in YourTown, USA, there are a number of things that makes me believe its real. There are other people in there, many of which are wearing BOA nametags, and the BOA logos and stuff are all over the outside and inside of the place. Also, its expensive and difficult to put up a fake BOA storefront, and the liklihood that a fake one will generate any profit w/o getting caught is about zero (otherwise they would exist!)

Now, how much would it cost me to put up a bankfoamerica.com site? How about 15-20 of them with different typos? How much easier is it being that they can exist anywhere in the world or even outside of the world on a sattelite in space even? How hard is it to generate all of these things that look exactly like the real site w/o a secure certificate behind them to boot? Now, being that BOA changes the website all the time, AND its not on a secure server, how am I supposed to know that I'm even dealing with the same people each time?

My problem is not with BOA identifying me, its with me identifying them. So, they add site-key and all of this crap, which puts the burdon of identifying them on me, which is backwards, especially when they keep changing the rules.

When I worked in a hospital, they talked repeatedly about "universal precautions" with respect to things like AIDS and whatnot. There needs to be a set of universal precautions for doing secure transactions on the internet, and there are none.

Good for him!

[Rob+T+Firefly]

It's great to know this guy is still at it, despite getting raided by the FBI for the boarding pass hack. However, unless I'm mistaken banking stuff like this is under the auspices of the Secret Service, so this guy might want to set some extra places at the dinner table for a different group of goons.

Re:Good for him!

[jimstapleton]

If he keeps it up, he'll start to know the agents...

*hears a knock on the door, and answers*
Him: "Ahh, Agent Doe! Nice to see you! They sent you out for this one huh? Your standard crew."
AS: "Yep."
Him: "Can I interest you in some coffee, tea or a soda-pop while they are working?"
AS: "Sure, I'll have some coffee"
*He gets the coffee ready as the other agents go to his computer*
Him: "Sit down, sit down! Here's your coffee"
AS: "Thanks. So, everything's going well I take it?"
Him: "Yeah, I'd ask if you heard about my latest trick, but that's probably why you are here."
AS: "Yes, it is."
Him: "So, how's the wife and kids?"
AS: "Not bad. Jane is in basketball now."
Him: "Middle school"
AS: "College"
Him: "Really? I can't believe it's been that long. It seems like just yesterday you were telling me about her being born!"
*more idle chatter, eventually several black suits come down carrying computer equipment.*
AS: "Well, it was nice chatting with you again."
Him: "Likewise. See you next week, same time?"
AS: "Sure, what do you have planned now?"
Him: "C'mon, and spoil the surprise?"
AS: "Alright, see you next week."

Bank of America?!?

This guy is going to get it.

Here's an example on how B of A does business:

This guy just wanted to check to see if a check was good!

You can bet B of A will go after this hacker guy.

The real problem of online banking

[Opportunist]

The core problem of online banking is that the bank has to implicitly trust an untrustworthy system, using insecure protocols. The bank has no way to verify that the system used at the other end has not been tampered with and they cannot verify that the data sent to them is identical with the data entered by the user.

You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.

A bit less than it appears

[jfengel]

The summary is not quite correct. It's not so much that the SiteKey is being bypassed, as that the attacker is able to get their hands on the user's SiteKey. They can only do this by getting the user's password and security code, which they do with a conventional man-in-the-middle attack. Once they've got that, getting the SiteKey seems the least of their worries.

The obvious problem with SiteKey is the chicken-and-egg problem of getting the image to the server in the first place. There's some step where you're communicating in a fashion where you trust the server enough to give them your SiteKey, which they later show back to you. It's tied to a single computer, via a cookie, so if you log in from a different computer you need to send a new SiteKey or get them to send yours back to you, on the new computer.

So this attack only works if you can get the user to give up not only the password but also the "security question" (one of the dumbest bits of security I've ever seen; it's like a password only you can look it up.) Easy enough, if the user isn't alert (and they usually aren't.)

SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."

Who can remember their authentication images?

[dpbsmith]

These authentication images seem to be one of these ideas that is based on the assumption that you only deal with one company.

Within the last six months, three banks and two brokerage houses I use have all gone to the use of these authentication images. In each case, the only way to select the image is to go through slow-loading screen after slow-loading screen of apparently random images.

I can choose my own password, but it is virtually impossible to "choose" my image, so they're not very memorable to me. I certainly can't choose the same image at all five sites, which is what I'd like to do. (That's insecure for a password, but I don't think it's insecure for an authentication image; it's not as if one bank were going to try to pretend to be a different bank).

One of them also wants you to give them a little phrase that goes below the picture. Ah, I thought, I'll use my phrase to describe the picture, that way I'll know if the picture is incorrect. Wrong, I couldn't do it. I had to enter the phrase before I got to choose the picture. Well, I thought, OK, I'll just change it. The picture was of (let's say) soccer ball. So I went to the screen that lets you change your passwords and personal information, entered "soccer ball" as my phrase... and was then taken to a screen where I was required to select a picture, again. And the soccer ball wasn't one of the choices. I clicked through about ten screens of five-by-five pictures trying to find the soccer ball and couldn't find it. Was it just because they were randomly selecting from a huge collection of images? Or do they actually enforce changing the image? I don't know. All I know is that I now am supposed to remember my password AND the phrase "soccer ball" AND a picture of a kangaroo.

If the picture were wrong, would I notice? I might have a vague sense of unease, but I wouldn't be sure. Not unless I wrote them all down.

Why not use referrer?

[nospmiS+remoH]

Why don't the banks just require that the referrer to a login page be blank. Yes, this would mean that the login page would have to be either on the main page or very simple to type since the only way a (normal) user will have a blank referrer will be to type the url in.

Essentially this means that banks would be requiring everyone to physically type (or bookmark) their banks login page and that would be the ONLY way to get there. I suppose it could be modified to accept a referrer of the banks own domain so you could click a "Login Here" button.

I know power users can spoof their referrer using a browser setting and malware could do the same, but at least that would be another layer. What am I missing here?

I Can't .. stop .. myself

[slashbob22]

Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol. You are coming to a sad realization, Cancel or Allow?

The Weakest Link

[Nom+du+Keyboard]

The weakest link in the banking system is its reliance on a single account number. Imagine, if you will, if your bank could give you limited use account numbers that never revealed your master account number to outsiders.

Wouldn't it be nice if you could give someone (e.g. PayPal, known by some for removing money back out as fast as they put it in) Deposit-Only account numbers. Like the Roach Motel, the money checks in, and it don't check out.

Or Limited Transfer Out numbers. (Allow AOL, and AOL only, to automatically debit monthly payments for amounts not exceeding your monthly bill, and only valid for 6 transactions before you give them a new number.)

Personal Checks, each one of which has a One Time Only account number on it that is worth nothing to a thief who tries to forge a hundred duplicates of the check you just gave him.

The archaic current system could, I believe, be made much more secure by this simple change alone.

Note to IP thieves: This constitutes Prior Art, and you're not allowed to patent it now.

Stupid online banking security problems

[slashkitty]

The banks are really just bringing this on themselves. They have marketed the idea of security as being more important than actual security. Making me answer more questions about myself may make it harder to break in, but it leaves me even more vulnerable to identity theft if my answers are compromised.

Looking at what banks can do to improve security:

- Stop putting the "lock" icon on your login form. Users should look for the lock on the toolbar or part of browser frame. (chase.com, others)
- Stop using non secure login pages (not where the login form is being submitted to) (chase.com, usbank.com, wachovia.com)
- Stop using marketing emails from strange marketing addresses. This just gets people used to bank emails from weird places.
- Make a secure bookmarkable banking page. (my bank does not do this, I get an error screen if going to bookmark)
- Simplify navigation and operation and unify systems. (my bank does not do this, if I log out on one part of the site, I'm not logged out from the "very secure" part)

Bank sites driven by marketers

BoA = smarter than this blogger

[oni]

it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves.

I agree. In fact, I would go further and say that the author of this blog should actually be quite embarassed and ashamed of this post. His "amazing discovery" is actually the whole point of sitekey. Yes, you can be a man in the middle and get the sitekey images yourself. Congratulations. You and everyone else already thought of that.

And guess what, your man-in-the-middle now has to make a sitekey request to bank of american for *every potential victim* and as a result, BoA will easily identify your IP block as running a MITM scheme.

So in other words, this blogger is an idiot. He hasn't defeated sitekey at all. Set up a MITM site, make ten requests, and now you're out of business and the ten accounts that you phished are locked.