Challenge/Response Labs Publications

Abstract
This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been simplified, and some new material is presented.

SiteKey shows web banking customers a "secret image" - a little icon of a mandolin or a coffee mug or something else - that only the customer and the bank are supposed to know. Customers of SiteKey-using banks are told that if their correct secret image appears on a purported bank web page, they can be sure that they are connected to the bank's real web site, and can safely enter passwords and other secrets.

However, criminals who can write simple server software, or who hire someone to write such software, can create fake bank web sites that look just like the real thing, and that display correct, "secret" SiteKey images to unsuspecting victims.

If you are an online banking customer, this means that even if you see your personal SiteKey image on a web page, the page may not be legitimate. When entering your password or answering a security question, picture or not, you could be giving away secrets to an overseas crime ring, rather than logging on to a bank account. A bank using SiteKey is no less secure than any other online bank - it's just not appreciably more secure than the others. Never let your guard down just because you see your correct, personal SiteKey image.

Abstract
The SiteKey anti-phishing system used by Bank of America and other financial institutions is susceptible to a real-time exploit in which an attacker can create a fake web page that includes a victim's correct, secret SiteKey image, text phrase and challenge questions. This paper discusses the customer-facing implementation of SiteKey as seen from a web browser, the reasons for its vulnerabilities, the risks posed by its design and by its persistent storage of a security-weakening token, and the means by which those vulnerabilities could be exploited.

Possible improvements are proposed, though the accompanying discussion argues that the single-ended authentication used by SiteKey and other systems is not a sufficient deterrent to phishing or other online frauds. Also included is a brief summary of a discussion between the author and representatives of Bank of America and RSA Security regarding the paper and the bank's overall approach to customer safety and security. This report does not provide source code or detailed instructions about carrying out the described attacks.