07 Feb 2007

Study Finds Bank of America SiteKey Flawed

Web 1 Comment

Site-authentication images are a simple anti-phishing concept for online banking. Each customer has a secret image (like a dog or wooden chair), which assures them that the web site they are logging on to is their legitimate online banking site. Since phishing sites generally consist of a fake login page used to steal customers’ login information, and wouldn’t be able to show them their secret image, it sounds like a perfect solution.

In fact, Bank of America, ING Direct, and Vanguard already use something like this, but a recent study found…

Even though the bank repeatedly instructed customers not to login if their site-authentication images are absent, the vast majority of participants using their own bank accounts did not comply—23 of 25 (92%) entered their own account passwords even though their site-authentication images were absent.

You’re probably wondering why a phishing site couldn’t take your login information and pass it to the real online banking site to grab your site authentication image. It turns out that this valid concern:

site-authentication images have been shown to be vulnerable to man-in-the-middle attacks that capture and display the user’s site-authentication image

This makes question me whether site-authentication images were a good idea in the first place. As we complicate our online banking systems with this and other multifactor authentication schemes I wonder if any make a significant difference.

For the time being, it looks like the best option is still just to educate your members. Teach them to look at their address bar and make sure they are logging into the right address.

You can see the original article here: http://www.usablesecurity.org/emperor/emperor.pdf

One Response to “Study Finds Bank of America SiteKey Flawed”

Leave a Reply