[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Bank of America SiteKeys ineffective?

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Bank of America SiteKeys ineffective?
From: "Mike N" <niceman@xxxxxxx>
Date: Fri, 27 May 2005 13:39:03 -0400

From: "Mary Landesman" <mlande@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Bank of America SiteKeys ineffective?

>From my read of the news.com article and admittedly limited knowledge of
SiteKeys, it does not seem to me their intent is to make sure the user
knows  they are at a legitimate BOA page. Rather, it seems to me
the intent is to
ensure that if Betty Boop logs into her BOA account, that she's doing so
from a pre-authorized Betty Boop specified computer.

I found the official press release at

http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm

In the press release, one of the 2 key goals is to "Confirm the Web site's validity." From the description, it will do no such thing - it only confirms a possible link from their browser to the BofA web site, not that they are linked correctly and solely to the proper BofA web site.

Even the challenge-response scenario is nearly useless. If for some reason the phisher in the middle couldn't steal the secure cookie and pass it on to the real site, the customer might fall for the challenge-response questions being relayed from the phisher and answer them; the phisher would end up with the challenge-response answer as well as the login. Many people regularly dump their cookies for privacy reasons; those people will become used to seeing the challenge-response and they won't realize they're being taken.

The press release mentions that they are using PassMark http://www.passmarksecurity.com .

The PassMark is better than nothing, but doesn't accomplish anything in the end except to make the customer feel better. It's not as effective as inspecting the HTTPS certificate, but training 13 miillion customers how to inspect their certificates and actually have people look at their certificates is also probably unrealistic.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Bank of America SiteKeys ineffective?
  - From: Mary Landesman

References:
- [Full-disclosure] Bank of America SiteKeys ineffective?
  - From: Mike N
- Re: [Full-disclosure] Bank of America SiteKeys ineffective?
  - From: Mary Landesman

Prev by Date: Re: [Full-disclosure] Not even the NSA can get it right
Next by Date: [Full-disclosure] [SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification
Previous by thread: Re: [Full-disclosure] Bank of America SiteKeys ineffective?
Next by thread: Re: [Full-disclosure] Bank of America SiteKeys ineffective?
Index(es):
- Date
- Thread