funsec mailing list archives
"A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® Service" (seen on slashdot)
From: Paul Vixie <paul () vix com>
Date: Thu, 12 Apr 2007 18:19:55 +0000
We present this demonstration of a "deceit-augmented man in the middle attack" against the SiteKey ® service used by Bank of America (the underlying technology is also used by other companies). This, or a similar attack, could be used by a phisher to deceive users into entering their login details to a fraudulent website. BoA's own website tells users: "[W]hen you see your SiteKey, you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected." We believe that this statement is not completely true, as our deceit-augmented man-in-the-middle attack shows. Whereas a normal man-in-the-middle attack identically replicates the attacked site, a deceit-augmented man-in-the-middle attack may present the user with a slightly different user interface than the regular interface. Man in the middle (MiTM) attacks are not a new threat - they have been known about for a number of years, and phishers have already used them to target Citibank and other online banks. http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- "A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® Service" (seen on slashdot) Paul Vixie (Apr 12)