Network News

X My Profile
View More Activity

Photos to Fight Phishing?

In a bid to stave off phishing attacks, Bank of America is offering a new service that allows online customers to verify that they are indeed at the bank's official site by displaying an image that the customer supplies in advance.

The free service, called SiteKey and developed by Passmark Security of Redwood City, Calif., lets customers pick any image they have, then write a brief phrase and select three "challenge questions." When the customer next visits and enters a username, clicking on the SiteKey button displays their chosen image, embedded in the bank's site. Customers are prompted to answer one of the challenge questions if they want to access their account from a different computer.

I wrote about Passmark in a story back in March on the fledgling industry springing up to help banks and e-commerce companies quash phishing scams.

Bank of America says it has the most online banking customers of any bank in the nation -- roughly 13.2 million of them. But that magnitude has also made it an attractive target for phishing attacks. Just last month, the company was the victim of a particularly sneaky exploit that leveraged a design flaw in to redirect victims to an identical but fake site operated by scammers waiting to steal login data.

Bank of America spokesperson Betty Riess said the company plans to introduce SiteKey in Tennessee in mid-June, with other states joining the roll-out over the following few months. The service is voluntary, but Riess said the company plans to make it mandatory for all online customers sometime this fall. If so, it would be the first major U.S. bank to require such customers to use something other than a username and password to access their accounts online.

In a related development, security researchers at the University of California at Berkeley are backing a new extension for the Mozilla Firefox Web browser that would do essentially the same thing as SiteKey, except that it would theoretically allow Firefox users to login at multiple secure Web sites with the same image.

By Brian Krebs  |  May 26, 2005; 6:30 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Grading DHS's Cyber-Security Efforts
Next: A Fresh Batch of Aggressive Viruses


Will this cost extra for Bank of America customers?

Posted by: Robert | May 27, 2005 3:51 PM | Report abuse

Unlikely. They likely have most customer photos already--mine's on my debit card--so it won't cost much in labor or equipment to get photos for all online banking customers. The cost to implement the system would be offset (at least) by the costs associated with phishing.

Posted by: Katherine | May 27, 2005 4:53 PM | Report abuse

What a GREAT idea! I wish they'd all do this!

Posted by: Earthquake McGoon | May 31, 2005 10:33 AM | Report abuse

katherine.. you misunderstnad what the app does.. it uses a generic picture that you choose.. you then enter a phrase that you choose relating to the pic..

your phrase could be anything. this essentially matches the phrase which could be anything, with the pic that you've chosen... it might be a pic from 100s of pics..

this is actually a lot stronger than the normal password, given that users have a difficult time selecting really hard to guess passwords...


Posted by: bruce | June 1, 2005 10:55 AM | Report abuse

I have extensively researched SiteKey on behalf of a competitor bank, and can say with certainty; SiteKey is NOT a solution to the problem of phishing and account hijacking anti-phishing solution.

How it Works:
SiteKey is essentially a collection of functions that integrate with a merchant's existing login system and customer database to enhance the login process. It is designed to retrieve data from, and write data to, a user's computer, then compare this retrieved information with data contained in the merchant's customer database. As such, it is not actually performing website authentication. It is enhancing the merchant's existing login process by including additional image/message data.

SiteKey uses the merchant's existing customer Login IDs and integrates with the merchant's existing login system and customer database. Since one customer's login ID at one merchant may be already be in use by a different customer at a different merchant, SiteKey users will find themselves being required to (a) register for a login ID at every merchant they wished to authenticate, and (b) create different login IDs for different merchants if their desired login IDs were found to be already in use by someone else. Also, merchants who do not presently use a login system would be unable to implement SiteKey without first installing some form of a login system with an underlying customer database to store the login IDs and corresponding SiteKey data.

Security Issues:
Storing this image/message data within the merchant's customer database presents huge security issues since the secret image/message information is directly tied to the merchant's customer records. In the event of a data theft from ANY SiteKey-equipped merchant, ALL SiteKey-equipped merchants who use this solution would find themselves at risk because the customers of the victimized merchant may have registered with them as well. If they have, they would likely have registered the same SiteKey images and messages. Even if the customer's images and messages were different between merchants, the stored Device ID would be the same since it is the unique identifier for the customer's computer. This creates a common data thread between otherwise isolated and dissimilar merchant database records which a phisher could exploit.

As a solution to the problem of phishing, this type of site-by-site, data-driven approach is fundamentally flawed. The FDIC has determined that the problem of phishing results from a fundamental inability of website owners to authenticate themselves to their customers in such a way that cannot be replicated by phishers. The SiteKey approach can be replicated in its entirety by a phisher, targeting the common customers of all merchants who use SiteKey, using data stolen from just one careless SiteKey equipped merchant.

Why Challenge Questions?
The purpose for the 3 challenge questions has to do with the fundamental structural problem of the SiteKey approach. SiteKey is dependent on retrieving a "Device ID" from, and writing it to, a user's computer. When Bank of America's customers enter their Login ID, the SiteKey functions attempt to retrieve this "Device ID" from, or write it to, the customer's computer. If successful, the bank then locates the customer record in their database and compares the retrieved Device ID with the Device ID stored in the customer database record. If they match, the bank proceeds to display the image data from the customer record to the customer and waits for their password. If, however, a customer is logging in to their bank account from a different computer, or sitting behind a firewall that prohibits such interaction with their computer, or have turned off the ability to accept cookies, certificates, etc., then no Device ID will be retrieved by the bank website. In this case, the bank prompts the customer with one or more of the 3 challenge questions and, if answered correctly, proceeds.

Needless to say, this is a clumsy and inconvenient process. Many customers will be subjected to questioning every time they attempt to login to their bank account because of their computer environment, browser configuration, firewall, other external environment variables, or simply because they have not elected to turn on this option. Business customers who typically sit behind firewalls and other security screens that prohibit remote web-scripting of data to their company computers will be particularly inconvenienced. Also, in addition to their multiple Login IDs and passwords, users must now remember the answers to 3 additional questions which may vary from merchant to merchant. Finally, if a a careless merchant's customer database is stolen or accessed by unauthorized personnel, the thief now has three additional pieces of personal information for each customer, in addition to the compromised Device ID and other SiteKey and customer data. With this information, the thief will be able to launch a phishing attack against the common customers of ALL SiteKey equipped merchants using the Device ID as the data field "in common". As a result, to protect their customers, if one SiteKey equipped merchant's customer database is compromised, all SiteKey equipped merchants will be forced to prompt their customers to change their images, questions, and answers if they are also a customer of the compromised merchant.

Our Findings
SiteKey is a two-factor, two-way enhanced login solution that does not address the underlying problems of phishing. Rather, SiteKey enhances the existing login process and relies on storing to (and retrieving from) a user's computer a "device ID, stored in multiple simultaneous ways including cookies, shared objects, and client side certificates." This device ID is verified using a "battery of real-time heuristics, including device forensics, network forensics, behavioral analysis, and secondary authentication." If a user accesses a SiteKey protected website from a different computer, the absence of the stored device ID results in one of several challenge questions which the user must answer correctly to proceed. The SiteKey process is also tied to a specific website's login system and customer database in a one-to-one, site-by-site relationship. A user must therefore register for a Login ID at each and every website that they wish to authenticate using SiteKey and must hope that their desired Login ID is not already registered on that website by another user. Because the SiteKey Device ID is directly tied to specific user account information, and would be the same at all SiteKey equipped merchants, disclosure or theft of any SiteKey-equipped merchant's customer database will compromise the SiteKey data for all other SiteKey-equipped merchants who may have customers in common with the compromised merchant. Implementing SiteKey requires installation, modification or maintenance of a database located on the merchant's server and integration with an existing login system. Support requirements would be considerable and would involve supporting the merchant's existing login process, their internal database, SiteKey processes, and configuration issues arising from browser, network, operating system, certificates, and other external factors that may interfere with the retrieval of the Device ID.

Source: "Press Release", Bank of America website, cfm?PressID=press.20050630.05.htm [], June 30, 2005.

Source: "5 minute audio briefing", PassMark SiteKey website, [], July11, 2005.

Source: "Putting an End to Account-Hijacking Identity Theft", Report of the Federal Deposit Insurance Corporation - Division of Supervision and Consumer Protection Technology Supervision Branch, December 14, 2004.

Posted by: Researcher | July 20, 2005 6:54 PM | Report abuse

The Sitekey service does not cost extra for Bank of America customers. I personally welcome the additional security. The points that "Researcher" make above are true of any user managed credential system, but Sitekey does put Bank of America ahead of its competitors in terms of authentication security.

Posted by: Louie | December 19, 2005 7:24 PM | Report abuse

I just received an email from Bank of America announcing this service. That would be great were I a customer, but I'm not. And I have to tell you that the email looks very, very legitimate, save for the fact that my email address didn't appear in the To: line. The real question is where will the hypertext link take me to. So, be careful.

Posted by: Arlen | December 31, 2005 12:35 PM | Report abuse

katherine, It is clear as a user that your comments on the SiteKey system are completely unfounded. I spent 4 hours looking through pictures just to see what they had. I must have seen thousands of pictures all of which were unique to me.

I also have an account here with TechCu which is a local Credit Union that also uses a Passmark system and I was interested to see that they had what looked like a completely different set of pictures and questions then Bank of America.

Personally I like the system and given the problems I have had with my RSA key fob breaking or losing it's screen I am glad that the banks are not going this way. After all it ever was is a fancy password and I have read enough to know that those can be hijacked easily.

Posted by: brent | February 9, 2006 3:59 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company