SiteKey sucks  APR 12 2007

I've used Bank of America to do my online banking in the past and their SiteKey "technology" always irritated the hell out of me because it led me to believe that Bank of America thought I was:

a) a criminal

and/or:

b) an idiot

instead of:

c) a customer

The basic idea behind SiteKey is that when you log in to your account, you're shown a photo of, say, an orange kitten before you enter your password so that you know you're not on the site of a phisher who knows nothing about your orange kitten but wants to collect your login info. In addition, the site makes you verify your identity with a security question -- like "what's your favorite food?" -- before using the site from a new IP address, which means if you're on a cable or DSL connection, this happens every couple weeks when your current IP expires...or whenever BofA feels like they should throw up another virtual pane of bulletproof glass between you and your account information. For those who don't fall for phishing scams -- by accessing sites directly through bookmarks or by typing URLs into the location bar -- SiteKey is nothing but an irritant and a deterrent and there's no way to switch it off.

On Tuesday, Christopher Soghoian and Markus Jakobsson published a clever method by which password phishers could get around SiteKey. The method takes advantage of a simple hole in the logic concerning SiteKey...that anyone who knows your account's login name and state of residence can see both your SiteKey image and any challenge questions, no password required. All the phisher has to do is ask for the login name and state of residence, send that info to the BofA site (via a script running on the phisher's machine), get back a security question, display that, send the answer to the BofA site, get back the correct SiteKey image, display that, and collect the person's password, all while presenting a nearly seamless Bank of America-like experience to the user.

Hopefully this gaping monster of a security hole will convince BofA that not only does SiteKey security not work, it's not even security and they'll soon be rid of it.

Update: Here's an even easier SiteKey exploit.

I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned.

Read more posts on kottke.org about:
bankofamerica   phishing   security

kottke.org

Front page
About + contact
Site archives

Subscribe

Follow kottke.org on Twitter

Follow kottke.org on Tumblr

Like kottke.org on Facebook

Subscribe to the RSS feed

Advertisement

Ads by The Deck

Support kottke.org shop at Amazon

And more at Amazon.com

Looking for work?

More at We Work Remotely

Kottke @ Quarterly

Subscribe to Quarterly and get a real-life mailing from Jason every three months.

 

Enginehosting

Hosting provided EngineHosting