Full Disclosure mailing list archives
Re: Bank of America SiteKeys ineffective?
From: "Mary Landesman" <mlande () bellsouth net>
Date: Fri, 27 May 2005 14:58:00 -0400
Thanks for the clarification. Presumably then, the attackers can't just take the harvested details and login to the accounts; they would have to introduce a next level, i.e. the man-in-the-middle attack described below? I agree that it's not foolproof, but I would think it can help alleviate at least some phishing scams - specifically those that just try to harvest a large number of account details by enticing users to login to fake websites. Stopping some is better than nothing, so long as BoA (and others) view this as one step out of many and not as a silver bullet.
Many people regularly dump their cookies
That's an interesting point. I encourage people not to use cookies to remember their bank login info - particularly those using laptops. Wonder how many will get frustrated by the constant challenge/response, allow the cookie and remembered login, and then have their PC accessed or stolen? I hope they will institute two sets of cookies; one just to remember the machine and a second for the login. This way, you can bypass the more extensive c/r, but still have to supply the standard login credentials to access the account.
training 13 miillion customers how to inspect their certificates and actually have people look at their certificates is also probably unrealistic.
Yeah. The yellow lock - simple as it seems in principle - is a good example of that problem. -- Mary ----- Original Message ----- From: "Mike N" <niceman () att net> To: <full-disclosure () lists grok org uk> Sent: Friday, May 27, 2005 1:39 PM Subject: Re: [Full-disclosure] Bank of America SiteKeys ineffective?
From: "Mary Landesman" <mlande () bellsouth net> Subject: Re: [Full-disclosure] Bank of America SiteKeys ineffective?
From my read of the news.com article and admittedly limited knowledge ofSiteKeys, it does not seem to me their intent is to make sure the user knows they are at a legitimate BOA page. Rather, it seems to me the intent is to ensure that if Betty Boop logs into her BOA account, that she's doing so from a pre-authorized Betty Boop specified computer.
I found the official press release at http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm In the press release, one of the 2 key goals is to "Confirm the Web site's validity." From the description, it will do no such thing - it only confirms a possible link from their browser to the BofA web site, not that they are linked correctly and solely to the proper BofA web site. Even the challenge-response scenario is nearly useless. If for some reason the phisher in the middle couldn't steal the secure cookie and pass it on to the real site, the customer might fall for the challenge-response questions being relayed from the phisher and answer them; the phisher would end up with the challenge-response answer as well as the login. Many people regularly dump their cookies for privacy reasons; those people will become used to seeing the challenge-response and they won't realize they're being taken. The press release mentions that they are using PassMark http://www.passmarksecurity.com . The PassMark is better than nothing, but doesn't accomplish anything in the end except to make the customer feel better. It's not as effective as inspecting the HTTPS certificate, but training 13 miillion customers how to inspect their certificates and actually have people look at their certificates is also probably unrealistic. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Bank of America SiteKeys ineffective? Mike N (May 27)
- Re: Bank of America SiteKeys ineffective? Mary Landesman (May 27)
- Re: Bank of America SiteKeys ineffective? Mike N (May 27)
- Re: Bank of America SiteKeys ineffective? Mary Landesman (May 27)
- Re: Bank of America SiteKeys ineffective? Mike N (May 27)
- Re: Bank of America SiteKeys ineffective? Mary Landesman (May 27)