Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boarding Pass Hacker Targets Bank of America

Posted by kdawson on from the augmented-man-in-the-middle dept.

Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.

4 of 160 comments (clear)

  1. Bank of America?!? by Anonymous Coward · · Score: 5, Informative
    This guy is going to get it.

    Here's an example on how B of A does business:

    This guy just wanted to check to see if a check was good!

    You can bet B of A will go after this hacker guy.

  2. Re:Good for him! by jimstapleton · · Score: 5, Funny

    If he keeps it up, he'll start to know the agents...

    *hears a knock on the door, and answers*
    Him: "Ahh, Agent Doe! Nice to see you! They sent you out for this one huh? Your standard crew."
    AS: "Yep."
    Him: "Can I interest you in some coffee, tea or a soda-pop while they are working?"
    AS: "Sure, I'll have some coffee"
    *He gets the coffee ready as the other agents go to his computer*
    Him: "Sit down, sit down! Here's your coffee"
    AS: "Thanks. So, everything's going well I take it?"
    Him: "Yeah, I'd ask if you heard about my latest trick, but that's probably why you are here."
    AS: "Yes, it is."
    Him: "So, how's the wife and kids?"
    AS: "Not bad. Jane is in basketball now."
    Him: "Middle school"
    AS: "College"
    Him: "Really? I can't believe it's been that long. It seems like just yesterday you were telling me about her being born!"
    *more idle chatter, eventually several black suits come down carrying computer equipment.*
    AS: "Well, it was nice chatting with you again."
    Him: "Likewise. See you next week, same time?"
    AS: "Sure, what do you have planned now?"
    Him: "C'mon, and spoil the surprise?"
    AS: "Alright, see you next week."

    --
    34486853790
    Connection too slow for X forwarding? Try "ssh -CX user@host"
  3. Re:Crux by mypalmike · · Score: 5, Insightful

    Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.

    Exactly. The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

    --
    There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
  4. Re:Crux by slashdotmsiriv · · Score: 5, Interesting

    This is an obvious attack against the BoA authentication system. Anybody with basic knowledge of networking, authentication systems and phishing
    methods should be able to figure out almost immediately how to defeat this system.

    At first, I myself was also very critical of BoA's new anti-phishing technique. However, after some more careful consideration, I realized it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves. Unlike security researchers (including moi), which usually try to create bulletproof security systems so they can right interesting papers with indisputable arguments, financial organizations are constrained by the very real issue of cost-efficiency.

    Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks. BoA's security team must have figured out that it would cost them X amounts of money to defend against classic phishing attacks and by preventing those they would save Y money. They must have also considered solutions like the ones presented in http://people.deas.harvard.edu/~rachna/papers/secu rityskins.pdf, which uses http://en.wikipoaedia.org/wiki/Secure_remote_passw ord_protocol and must have realized that this would cost them a W amount of money. Note that such a solution would require BoA to create new SSL protocols that would have to be installed on the client machines, not only their own servers. Also note, that such a solution is not stupid-user-proof either. However, we can safely say that W > X (perhaps even W >> X).

    By using such a solution they could perhaps save Z > Y amounts of money because much less users would fall victims to phishing attacks. It is very likely that they did the math. Because they chose to go with the current solution, it is very likely that Y-X > Z-W

    The only thing that BoA should perhaps correct is the statement:
    "If you recognize your SiteKey, you'll know for sure that you
    are at the valid Bank of America site. Confirming your SiteKey is
    also how you'll know that it's safe to enter your Passcode and click the Sign In button."

    This is over-claiming and could have a harmful impact by making its web users dropping their defenses against phishing. I am sure however that their marketing dpt told them that they need to advertise this security feature as completely robust, otherwise users would feel that they are going through unnecessary trouble: "if BoA's system is still insecure, why did BoA bother changing it and why do I need to incur the delay to learn it and enter login information twice?"

    Disclaimer: I do not work for BoA and I have no vested interest in supporting them. In fact, I hate their guts for their penalty fees policies :)