Challenge/Response Labs Publications |
|
Why SiteKey Can't Save You | |
WhySiteKey-20060824.pdf (164KB) |
August 24, 2006 |
Abstract SiteKey shows web banking customers a "secret image" - a little icon of a mandolin or a coffee mug or something else - that only the customer and the bank are supposed to know. Customers of SiteKey-using banks are told that if their correct secret image appears on a purported bank web page, they can be sure that they are connected to the bank's real web site, and can safely enter passwords and other secrets. However, criminals who can write simple server software, or who hire someone to write such software, can create fake bank web sites that look just like the real thing, and that display correct, "secret" SiteKey images to unsuspecting victims. If you are an online banking customer, this means that even if you see your personal SiteKey image on a web page, the page may not be legitimate. When entering your password or answering a security question, picture or not, you could be giving away secrets to an overseas crime ring, rather than logging on to a bank account. A bank using SiteKey is no less secure than any other online bank - it's just not appreciably more secure than the others. Never let your guard down just because you see your correct, personal SiteKey image. |
|
Fraud Vulnerabilities in SiteKey Security at Bank of America | |
SiteKey-20060718.pdf (376KB) | July 18, 2006 |
Abstract Possible improvements are proposed, though the accompanying discussion argues that the single-ended authentication used by SiteKey and other systems is not a sufficient deterrent to phishing or other online frauds. Also included is a brief summary of a discussion between the author and representatives of Bank of America and RSA Security regarding the paper and the bank's overall approach to customer safety and security. This report does not provide source code or detailed instructions about carrying out the described attacks. |
|
Challenge/Response, LLC is a creator of software that tracks and prevents online fraud, and supports safe e-commerce. |