April 12th, 2007
SiteKey phish demonstrated against BofA
The use of images to assure a user that they are not being phished has started to become common. Yahoo! uses them. And BankofAmerica has been using Passmark's (RSA) technology in their SiteKey scheme to protect their online banking customers from being phished. The idea is that a cookie in your browser alerts the BofA server that it is you returning and you see an image that you selected when you first signed up for online banking. If you were at a fake site you would be suspicious because you would not see the familiar image.
The scheme falls down because there has to be a way to accommodate someone logging in from a different computer when they are on the road, at a conference kiosk, etc. So Bank of America asks a "secret question" and then installs the cookie on the new machine. This is where an attacker can interject a Man in the Middle attack. The phishing site gets the secret question from the BofA server, passes it to the user, and passes the answer back to the bank.
Christopher Soghoian, a grad student at Indiana University school of informatics, has posted some movies of his clever attack on his site as well as the php script for attacking BofA's servers. He points out that RSA also sells activity monitoring solutions (from Cyota) that BofA probably uses so an actual exploitation of a compromised account will probably not work. Until they figure out a way around it, that is.
Its a war of escalation and banks have to stay ahead.
Security blog
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
