Bank of America’s SiteKey System is Useless
Anyone who’s a Bank of America customer has probably gone through the process at one time or another. The site loads, you enter your username and state, and you hit “Sign In.” Waiting, waiting, waiting. Ok, next step: do you recognize this image? Huh, yeah, whatever; you enter your passcode and hit “Sign In” again. “Your request is being processed, Please wait…” Am I in yet? Oh, wait, what’s this. An ad? “Not now.” Ok, we’re in….
I wouldn’t have too much of a problem with the Bank of America login system, cumbersome as it might be, because it helps protect my banking information from those ruthless Nigerian phishers, right? Well, no; it doesn’t, actually. As it turns out, the implementation of the SiteKey system is nothing more than smoke and mirrors, or as Steve Gibson puts it, nothing more than a “touchy-feely sort of solution” that will look good in the papers.
According to federal law, any banking institution that wishes to provide an online service for “high-risk transactions involving access to customer information or the movement of information to other parties” must implement two-factor authentication (FDIC). So, what does all that mean? How will users be authenticated?
User authentication can be dealt with in a number of ways, but in order to have any confidence in the security of a system, multi-factor authentication is required. Multi-factor authentication deals with the notion of providing access after at least two of the following have been provided and verified:
- Something you know, like a password, a PIN, or an answer to a question. Please note that, requesting a username and a password still only counts as single-factor authentication.
- Something you have, such as an RSA security token, a credit/debit card, or some other physical device capable of providing some sort of information that only you might have access too.
- Something you are, meaning a fingerprint, a retinal scan, or some other form of biometrics.
Each of the methods mentioned above are quite easily foiled on their own—yes, even biometrics. So, in order to be the least bit sure that the connection between the client and the service is secure, a combination of factors needs to be used.
As it turns out, however, the “two-factor authentication” that Bank of America has implemented on its site is anything but secure; in fact it’s only multi-factor if you tinker with the definition a bit. The entire concept behind the Sitekey theatrics is that you provide the bank with your username and state, which is then used to look up the Sitekey image that you provided them when you set up the account. When this image is then presented to you, the site wants to know if you recognize the image and its corresponding title. If it’s the correct, you enter your passcode and you’re good to go.
The idea is that only the real Bank of America would have the correct image, and that there is no way that a phishing site could possible present you with the correct image. So, if you don’t see or recognize the image, don’t log in; it’s not the real Bank of America site.
Well, that’s not exactly true either; Bank of America might not be the only ones with access to the image. The SiteKey system can be and has been hacked, and it didn’t take MIT graduates to do it. A simple man-in-the-middle attack is all that’s needed to bypass the authentication system and gain access to users’ bank accounts.
Wanna set up your own phishing scheme? Here’s all you have to do: setup a site that looks and feels just like the real Bank of America site, and start attracting visitors; a common way of doing so would be to send out spam designed to look like it came from, say, a Bank of America representative, asking that the recipient please click on a false link (which looks valid) to the banking site to check on some critical information; maybe verify an address, or something like that. Once you get victims to the site, the hard part is already over. Just sit back and wait for the login information to roll on in. When the victim enters in his or her username and state, the fake site will head over to the real Bank of America site to enter in the exact same information, wait for the Bank of America site to present the SiteKey, so that it can be copied and presented to the victim, who will (gladly) validates it and enter the passcode. The fake site then goes back to the real site, enters the passcode and voilà, you’re in! Happy robbing!
Bank of America’s “security” measures have been seriously compromised, and, unfortunately, it doesn’t look like it’s going to change anytime soon. Not only is it broken, but most users probably wouldn’t even notice if the SiteKey image never even came up. According to a fairly recent MIT study, 97% of those tested went ahead and entered in their passcode even though the SiteKey image wasn’t present. Only two people had the presence of mind to realize that maybe, just maybe, there might be a security concern. So, if you don’t want to set up a complex system to check back and forth with the real banking site, just omit the image and simply have the victims enter the login information for your later use (and then, maybe, direct them to a page reading “OWN3D!!!” or something like that to rub it in).