12 Apr 2007

MFA not all it's cracked up to be

Web 3 Comments

Christopher Soghoian at Slight Paranoia has a great example of how MFA isn’t the end-all-be-all some wanted it to be.

In his article, A Deceit-Augmented Man In The Middle Attack Against Bank of America’s SiteKey ® Service , he demostrates how a phisher can bypass elements of image-based MFA, such as SiteKey. They even have a video!

CU’s need to carefully review their MFA policies and the software they have in place to monitor their online security.

See our own post here about BofA and SiteKey security flaws.

3 Responses to “MFA not all it's cracked up to be”

  1. Reply
    Robbie Wright says:
    April 12, 2007 at 4:02 PM

    Otto’s talking about BofA’s SiteKey problems too! Go check out his post here.

  2. Reply
    Doug True says:
    April 14, 2007 at 8:54 AM

    We are using BioPassword (www.biopassword.com) – we think it is a member centric solution.

  3. Reply
    Robbie Wright says:
    April 14, 2007 at 10:11 AM

    I love the idea that idea! The way people uniquely type passwords is fascinating to me. We’re using a cookie-token method that I’m not that estatic about.

Leave a Reply