NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0143 "Man In The Middle" Technique Defeats SiteKey Security at Banks:
Sitekeys, which financial institutions have recently embraced as a way of thwarting phishing attacks, allow customers to select an easily recognizable image that is displayed on login pages; however, a researcher has shown how a 130-line Ruby script can largely neutralize the protective measure by employing a classic man-in-the-middle (MITM) technique. For example, when a Bank of America (BofA) user accesses an account using a computer that has never before visited the site, the online ID and account location are the only pieces of information requested. When those fields are entered, BofA responds with a preset security question, such as, "What city was your high school in?" Only after the question is answered correctly is the visitor taken to a page bearing the image, or sitekey, and a prompt to enter an account password. A page that asks for a password but does not show the image can be assumed to be a forgery. Christopher Soghoian, the Indiana University graduate student who created an online generator for fake airline boarding passes, demonstrated how a spoofed BofA page can prompt the visitor for the online ID and state and then transmit them to the real BofA site. When BofA responds with the security question, the phishing site relays it to the visitor and then sends the answer back to the bank. BofA then provides the phisher with the user's sitekey, which is then affixed to the spoofed page requesting the password. "Just because you see your Sitekey/ Passmark image, or Yahoo personalized sign-in seal, you should still be careful," Soghoian writes. "Those security schemes, alone, are not enough to protect your security online." A recent study also found that 92% of participants entered account passwords even when the required sitekey was missing.
(www.theregister.co.uk 12APR07)
Last Modified: Sunday, 29-Apr-2007 14:47:16 EDT