Research Suggests Weakness in Anti-Phishing Technology
Security experts have warned for some time now that certain anti-online-fraud technology deployed by many major financial institutions may be lulling online banking users into a false sense of protection. Today, two university researchers released a demo in an attempt to prove that point.
In response to an explosion of "phishing" scams uncovered in recent years and to growing pressure for banking industry regulators, a number of financial institutions -- including Bank of America -- have rolled out services that try to provide additional assurances that an Internet customer is visiting a legitimate banking institution's Web site, not some look-alike fake. Among the most widely adopted of these is a technology called "SiteKey," which industry giant RSA Security acquired last year through its acquisition of PassMark Security Inc.
SiteKey allows banks to display a personal image of the customer's choosing when he or she logs in to their online banking account. In the event that customers try to log in from a public computer or one whose Internet address the bank has never seen associated with the user's credentials, SiteKey prompts the user for the answer to one of several pre-arranged "security questions."
The trouble with this approach, as Security Fix reported last year, is that it assumes a phishing site will not be able to act as the "man in the middle" -- in other words, that the criminals can't figure out a way to intercept and relay the user's special image or security questions to and from the legitimate banking site.
To prove their point, two researchers from Indiana University have released a proof-of-concept program to demonstrate how phishers might act as the man in the middle to defeat SiteKey's protections.
In a video showing how such an attack could be executed, doctoral student Christopher Soghoian and Indiana University professor Markus Jakobssen explain how the program would work against Bank of America's (BoA) SiteKey implementation:
"We prompt the user for her name + state of residence. That information is then sent by our server, not the user's computer, to BoA. We pass on the security question BoA asks to the user, and then send the user's response back to BoA. The bank replies by giving us the SiteKey image and the SiteKey caption. With that in hand, we're able to convince the user that we're the legitimate BoA website, and can then prompt the user for her login password, login to BoA's site, and from there, we'd have complete control over their online banking session. It is important to note that the user never directly connects to BoA, nor does the bank ever communicate directly with the user. Each party believes that we (the would-be phisher) are in fact the legitimate other end of the login session (either the user, or the bank)."
Because the attackers in this example would be logging in from an Internet address never used before by the would-be victim, it would prompt Bank of America to challenge the user to answer their secret question, which the researchers showed could also be relayed.
"Through deceit, we are able to convince the user to enter her security question, and thus get the SiteKey image. There are plenty of ways to convince her to answer the question - the elevated orange terrorist threat level, increased security requirements due to Internet fraud, or data loss by BoA's own systems. For instance, the attackers might then prompt the user: 'Due to increased security requirements, we will ask you to answer a security question at every future login attempt. Thank you for helping to make Bank of America the nation's most secure online bank.'"
Louie Gasparini, chief technology officer for RSA's Site to User Authentication group, said the Indiana University researchers' example overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions.
"What they're critiquing is just the most visible piece to this technology," Gasparini said. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."
SiteKey and other user-authentication technologies have been a favorite target of Bruce Schneier, chief technology officer for BT Counterpane. Schneier agreed that while these systems can be spoofed, most scammers are liable to avoid institutions that use it. That is, he said, until a more critical mass of banks move to adopt the technology.
"If you're a criminal, you're going to go after the low-hanging fruit, the banks who aren't using this stuff," he said. "When everyone starts using this, the bad guys will change their techniques. So, this isn't going to solve the phishing problem indefinitely, but for now it will help move things around a bit."
The single most realiable way to protect yourself from falling victim to phishing scams is to never click on links that arrive via e-mail or instant message prompting you to log in to your bank account. Online banking users should type in the address of their bank in a Web browser window, and then bookmark that address for future use. In addition, both Internet Explorer 7 and Firefox 2.0 Web browsers include technology that can help alert users if they wind up at a phishing Web site.
April 10, 2007; 10:01 AM ET
Categories: Fraud , From the Bunker , Safety Tips
Save & Share: Previous: I'd Like a Double Espresso and Your Password, Please
Next: Critical Vista Flaw Leads Patch Tuesday Lineup
The comments to this entry are closed.