Bank of America's SiteKey is vulnerable to a very simple man-in-the-middle attack. Who would've thought? By the way, this is similar to the most elegant way to defeat Captchas (via CodingHorror).
Man-in-the-middle attacks are a simple and powerful concept. The basic concept as it applies to the two cases mentioned above is to present the user with the image needing cracking under false authority. For Bank of America, it would be a phishing website posting your SiteKey, and for Captchas, it would be some sort of incentive website requiring a Captcha solve to view the content requested.
Pretend that I want to hack into your credit card account. In the good old days, I would send you an email claiming that I, the President of Bank of America, require you to change your password using this link: http://bank0famerica.com. Then I would grab your password out of my website, and use it to log into the REAL http://bankofamerica.com, and I would be rich. Hurray!
Then, Bank of America instituted a SiteKey, which is an image and a title that you pick to recognize when you try to login to their site. The idea is that my bank0famerica wouldn't know your SiteKey and thus you would immediately unplug your computer to protect yourself from the nasties. (Ignore the fact that most people probably glaze over their SiteKey...these are, after all, the people who have already clicked on a link from an email to do something important, failed to notice the wrong website domain...etc)
Unfortunately, if I'm going to go through the trouble of setting up bank0fAmerica, I think I'd figure out in short order how to defeat the SiteKey. Namely, I ask you to enter your online-ID, just as BankOfAmerica does, and then send that ID to the real website. When I get the SiteKey back from the real website, I feed it to the fake website presented to you. Then you think it's really BankOfAmerica and proceed.
In fact, the SiteKey is so easily defeated, it may actually be worse for security! I could be convinced that it provides a false security blanket, such that Joe SixPack's one last vestige of alertness was assuaged when the impenetrable SiteKey verified my site as legit.
So, what's the better option? Well, unfortunately, it's a tough balance to strike between user effort and security. Here's a good place to start if you're looking for more on security. I'll be thinking about an easy way to really secure BankOfAmerica, and if genius strikes, I'll be back to post!
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment