Scams Target Latest Upgrades in E-Banking Security
Financial institutions across the country are scrambling to meet a Dec. 31 deadline set by banking industry regulators to have security processes in place for online banking that go beyond simply requiring customers to enter a user name and password. While some of the protections being adopted should help people feel more confident about online banking, there are signs that criminals already are adapting their techniques to defeat those measures.
Some institutions, such as Citibank, have chosen to require certain online customers to use a supplied token in addition to their user name and password. This approach generally relies on a small device that generates an additional password that changes every minute or so. Yet, a high-profile attack Security Fix detailed in July shows that this method is reliable only so long as phishers don't also ask the user to enter the token-generated password.
Other financial institutions are adopting variations of a "challenge/response" type technology, an approach that relies in part on requiring the user to supply the answer to a prearranged secret question if the customer is logging in from an Internet address that the bank doesn't recognize.
Bank of America was one of the first major institutions to adopt such technology with PassMark Security's SiteKey," which displays a picture of the customer's choosing when he or she goes to log in to their account. If the system detects that the user is not logging in from their normal PC, the image is not displayed and the customer is asked to provide the answer to one of their pre-selected questions, such as "What is your mother's maiden name," or "What was your first pet's name?" The idea is that even if the bad guys manage to swipe the victim's login credentials, they will be unable to log in to a bank account without the answer to the victim's secret question.
But challenge/response measures suffer from the same flaw as physical tokens: They work only if the bad guys don't somehow trick the user into entering that information at counterfeit scam sites. Take, for example, a phishing e-mail from earlier this week targeting Bank of America customers with the usual message urging the recipient to "update their account information," in this case due to a supposed "server update" by the bank.
Users who click on the included link are brought to a page that prompts the visitor to reset their account data by supplying their "old" password and user name, as well as their "previous" two SiteKey questions and answers.
This phishing scam highlights an inherent weakness in the challenge/response approach; namely, that in the name of security customers are being asked to provide even more personal information about themselves in order to bank online.
This particular attack isn't new. According to Rich Miller, an analyst with Web site monitoring firm Netcraft.com, this same exact scam has been spotted no fewer than 53 different times since July on Web servers based in China, so there is little doubt that phishers are experiencing some success with this scam.
Finally, I remarked a couple of days ago that it would be interesting to compare the results of the anti-phishing technology built into the latest releases of both Microsoft's Internet Explorer 7 and Mozilla's Firefox 2.0 browsers. When I visited this particular site in Firefox, I received a pop-up alert from Netcraft's anti-phishing toolbar, but also from Firefox, which flagged the scam site as a "suspected web forgery" and included links I could click on to earn more about phishing scams. When I visited the Bank of America scam site in IE7, I received no such alert.
Posted by: James B. | October 27, 2006 8:40 AM | Report abuse
Posted by: James | October 27, 2006 8:45 AM | Report abuse
Posted by: Anonymous | October 27, 2006 9:01 AM | Report abuse
Posted by: Bk | October 27, 2006 9:18 AM | Report abuse
Posted by: Troy | October 27, 2006 9:48 AM | Report abuse
Posted by: Anonymous | October 27, 2006 10:23 AM | Report abuse
Posted by: Anonymous | October 27, 2006 12:39 PM | Report abuse
Posted by: antibozo | October 27, 2006 1:44 PM | Report abuse
Posted by: David | October 27, 2006 2:17 PM | Report abuse
Posted by: King | October 27, 2006 2:33 PM | Report abuse
Posted by: To King | October 27, 2006 2:55 PM | Report abuse
Posted by: NoVA | October 27, 2006 3:29 PM | Report abuse
Posted by: BoA ha! | October 27, 2006 7:14 PM | Report abuse
Posted by: Anonymous | October 28, 2006 2:43 AM | Report abuse
Posted by: Anonymous | October 29, 2006 10:54 AM | Report abuse
Posted by: david a galler | October 29, 2006 2:26 PM | Report abuse
Posted by: DaveWest | October 29, 2006 5:28 PM | Report abuse
Posted by: J. Warren | October 30, 2006 9:13 AM | Report abuse
Posted by: Harry Hudson | October 30, 2006 12:16 PM | Report abuse
Posted by: Gary Beal | October 31, 2006 12:46 AM | Report abuse
Posted by: Shira Rubinoff | October 31, 2006 1:20 PM | Report abuse
Posted by: Who is Hahleq | November 2, 2006 11:21 PM | Report abuse
Posted by: antibozo | November 3, 2006 8:09 AM | Report abuse
Posted by: Frank Liddy | November 20, 2006 1:14 PM | Report abuse
Posted by: Jason | December 8, 2006 8:45 PM | Report abuse
The comments to this entry are closed.