×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Study Finds Bank of America SiteKey is Flawed

Hemos posted more than 7 years ago | from the trying-something-new dept.

Security 335

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

335 comments

Flawed system or flawed usage? (5, Interesting)

stillachild (1057156) | more than 7 years ago | (#17890106)

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.

Re:Flawed system or flawed usage? (2, Insightful)

jsnipy (913480) | more than 7 years ago | (#17890134)

Agree. This could be said about anything where users do not pay attention or bother understanding.

Re:Flawed system or flawed usage? (2, Interesting)

pyite (140350) | more than 7 years ago | (#17890406)

In my experience with the technology, websites do not adequately explain what it is you're doing and why. I have what is probably an above average information security background and I found myself confused at points. It's a stupid idea only further hampered by the fact that it's not explained well, all because the banks are too cheap to give people one time password tokens. While OTP tokens don't eliminate problems, they are a lot more useful than random images displaying. In addition, in the case of SecureID, they're tied to time and would be of limited use for phishing attacks.

Re:Flawed system or flawed usage? (5, Interesting)

russ1337 (938915) | more than 7 years ago | (#17890510)

>>>"In my experience with the technology, websites do not adequately explain what it is you're doing and why"

I'm a B of A customer, and I thought it was made pretty clear about how the sitekey worked - so did my wife (as non-technical as she is). If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Also, I don't think I'd be logging into my BofA account on someones strange computer that was 'set-up' for me... fear of keyloggers and all that.

Re:Flawed system or flawed usage? (4, Informative)

monkeydo (173558) | more than 7 years ago | (#17890798)

If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.

Re:Flawed system or flawed usage? (3, Interesting)

delinear (991444) | more than 7 years ago | (#17890730)

In my experience with the technology, websites do not adequately explain what it is you're doing and why.

The fault here doesn't lie just with the websites. As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site (I'm talking about the majority of users here, by the way, but it's not something limited to technical know-how either as many tech-savvy folk believe they don't need to read the instructions and just wade in).

There is no easy answer here other than keeping the whole thing as simple as possible and incrementally adding measures which are as intuitive as possible until users become aware of and used to them, then adding more.

Re:Flawed system or flawed usage? (2, Insightful)

SNR monkey (1021747) | more than 7 years ago | (#17890256)

The website seemed pretty clear to me. Right under the login section is a line that says "Where do I enter my passcode?" Clicking on it reveals the text:

We are changing the way you sign in to Online Banking to better safeguard the privacy and security of your personal information. Previously, you signed in to Online Banking using your Online ID and Passcode. From now on, you'll also use your SiteKey. Here's how this new service will work:
You'll enter your Online ID and click the Sign In button.
On the next page, your SiteKey will then be displayed. If you recognize your SiteKey, you'll know you can safely enter your Passcode. If you don't recognize your SiteKey when you sign in, don't enter your Passcode.
Your personalized SiteKey helps you know for sure that you are at the valid Bank of America site.


NOTE: If you have not yet created your personalized SiteKey, you will be prompted to do so before you can sign in to Online Banking.
I guess it is too long of an explaination. It probably needs to be prefaced with something eyecatching, like big bold text that reads "If you don't read this and fall for a phishing scheme, then you're too stupid to use a computer"

Re:Flawed system or flawed usage? (4, Insightful)

Znork (31774) | more than 7 years ago | (#17890534)

"If you don't read this..."

Actually, I'd suggest 'if you read this and believe this in any way makes you safe from phising you should take your banking offline'.

This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.

Whoever thought this up obviously missed a few computer security classes.

Re:Flawed system or flawed usage? (4, Insightful)

UnknowingFool (672806) | more than 7 years ago | (#17890426)

Nope, it's clear, but I fear users are oblivious. That's why Vista's annoying security notifications will not be as effective MS would like them to be.

Allow TakeControlComputer.exe to run?

"Yes, quit bothering me. How do I turn that off? Let me google it."

Re:Flawed system or flawed usage? (1)

dfn5 (524972) | more than 7 years ago | (#17890482)

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.
You give users too much credit. The fact of the matter is that people are idiots. It's one thing for people not to recognize <a href="http://200.200.200.200/accountbalance">http: //www.bankofamerica.com/accountbalance</a> in their email. But for someone to go through the trouble of picking out a picture and then summarily dismiss it says moron to me.

Re:Flawed system or flawed usage? (1)

TechnoLust (528463) | more than 7 years ago | (#17890536)

"67 BoA customers...of the 60 that got that far" So 7 people couldn't even get to the sitekey? (I'm a BoA customer, the site key is the second step of the login process, after entering your username or SSN on the main page.

Re:Flawed system or flawed usage? (5, Insightful)

bjourne (1034822) | more than 7 years ago | (#17890560)

It was not to hard to guess that that would be the very first response to this article. It is very typical for techies to expect users to use the system as the system was designed. That is not what happens in the real world. The usage of the system is equivalent to the system itself. If the usage of it is flawed, then the system, too, is flawed.

Many systems require you to change your password once a month or more often. Of course, the password must not be based on an English word and must contain both uppercase and lowercase letters and digits. Is it then a user failure when every other user forgets their password? No! It is the system that is faulty.

Therefore Bank of Americas system is faulty, most password based systems are infact faulty. It is not an acceptable excuse to put the burden on the user. It is a cop out. We are techies, we should make stuff work. It is our job.

Silly System (0)

Anonymous Coward | more than 7 years ago | (#17890582)

Why are so many people acting like the users are stupid here?

I have an ING Direct account, and use it once a month for bills - that's it. Forgive me if I can't remember that two months ago some website showed me a picture of a duck and the phrase "three penny milk".

Lack of explanation, and technically poor. (2, Insightful)

raehl (609729) | more than 7 years ago | (#17890604)

My bank started doing this. They way I was introduced to it is when I logged in they asked me to select a picture and then pick a label for it. There was no explanation whatsoever.

Now, like most Slashdot readers, I'm a tech guy, but I didn't know what they were trying to do. My GUESS was that they were going to have me enter in the caption each time I logged in as a sort of separate password. It wasn't until I read some news article about it much later that I understood what the point of it was. I can't imagine your average user would have any idea either.

But, lack of explanation aside, the 'solution' is technically useless as well. So when I go to log in you display a picture and I have to not enter my password if my picture doesn't show up. but *ANYONE* trying to log in gets to see that picture. So all you've done is add a little work for the phishing site - when they're pretending to be the bank, they just have to go to BoA's site and start your login process and Bank of America will kindly display the picture that the phishing site needs to show you to make you think the phishing site is legitimate. If anything, this makes the phishing site look *MORE* legitimate. "Well, this site looks fishy, but it's got my photo, so there must not be a problem."

Yahoo has a better system - they show you a captcha you've picked, and they explain what it is, AND they only show it to you if you're logging in from a computer you've registered to see the captcha. Doesn't help you when you're not at your home computer, but works for most people most of the time and is thus an improvement without any drawbacks.

Re:Flawed system or flawed usage? (5, Insightful)

Tom (822) | more than 7 years ago | (#17890726)

Rule #1 of user interface design: The user is always right. If he does something wrong, thank him for pointing out a flaw in your interface.

Re:Flawed system or flawed usage? (1)

FuzzyDaddy (584528) | more than 7 years ago | (#17890754)

I use BOA to do my online banking. The problem is, users expect to see instructions when they call up the website. So it's great when the page loads up, shows the sitekey, and then says "always make sure the site key is there". However, a phishing site could say "use of the site key has been discontinued", or simply omit the sitekey, and the user would then proceed anyway. It's part of the "don't read the manual" mentality, whereby we all expect to figure things out from the context. Hence, we have no expectations how something SHOULD look, which is why the sitekey is not generally effective.

I like the sitekey concept (I'm paranoid enough to use it properly, I think), but it goes against how we've been trained to use computers - which is to say, we expect to be told how to do something when it's time to do it.

Re:Flawed system or flawed usage? (0)

Anonymous Coward | more than 7 years ago | (#17890760)

The system is pretty badly flawed, even if the user does everything correctly. I don't have time to give a detailed analysis, but here are some points. First of all, the flow of the login is a little confusing, especially since it is different if you are on a PC that you haven't used before with the system. The BoA homepage won't let you connect via SSL. (Yeah, everything gets encrypted before you send, but it would be better to allow users to start off with https://bankofamerica.com/ [bankofamerica.com] ) The secret questions are pretty easy to guess, and the answers aren't hidden as you type them in anyway. The system does little to protect you from a man-in-the-middle attack if you end up at a phishing site -- all they have to do is prompt you for a secret question instead of showing you your "sitekey", and then they are as good as in. I also don't like having session information stored on my computer via the Macromedia flash objects. There are some other issues that I don't recall offhand.

I think Bank of America could have found a much better system than the Passmark Sitekey junk.

This could be solved... (5, Insightful)

Gnissem (656009) | more than 7 years ago | (#17890108)

If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.

Re:This could be solved... (1)

aadvancedGIR (959466) | more than 7 years ago | (#17890394)

In theory, I could agree, but I don't think it will actually work.
People want to access your site now and one in a while, you tell them "don't login now because we are doing an exercise, but if you login anyway, we will simply tell you it is bad before providing you the service", many people will simply chose to knowingly login because they trust their bookmark to link to the valid URL.

Re:This could be solved... (1)

Deathlizard (115856) | more than 7 years ago | (#17890460)

you could train this until the cows come home and people will still do it.

At this point, Computer exploitation has been in the news for almost a generation now, and people to this day still don't protect themselves against malware or inform themselves about scams. Hell, Windows screams at you if you don't have protection and still people run unprotected, Although it doesn't help much when MS scares people away from updating their OS with their Genuine Advantage program.

I'm a staunch believer of the 1% rule, which is 99% of computer users don't know what they are doing. Based on this study, I would call this probably in the margin of error, since 3.3% actually knew what they were doing. Of course with a bigger sample size, that value will most likely drop closer to the 1%.

Re:This could be solved... (1)

SomeWhiteGuy (920943) | more than 7 years ago | (#17890476)

This would also cause mass confusion to those that don't know about the procedure. Take my grandmother for instance. Once her password was reject on the bank website which initiated a call to myself, my sister, then the bank themselves. When I arrived home her caps-lock was on. This simple "Sorry Wrong Password" or even "You need to look for a SITEKEY idiot!" Would prompt many people to swamp phonelines asking what the deal is. Let's just face the fact that stupid users will always get around great security and do things wrong.

Newflash! (4, Insightful)

SNR monkey (1021747) | more than 7 years ago | (#17890112)

Enhanced security measures thwarted by stupid users. More at 11!

It seems like most security systems based on users not being idiots are doomed to fail. Phishing attacks work because people don't follow normal security procedures, making the authentication process longer/more involved for the user seems to be an inherently flawed idea because it trusts the user to know what is best for him/her.

Re:Newflash! (1)

UbuntuDupe (970646) | more than 7 years ago | (#17890208)

Right, but they didn't simulate a phishing attack in the experiment. Rather, the customer initiated the visit. To simulate a phishing attack, they should have had the users check their email, rather than initiate a visit to their bank's website.

Re:Newflash! (1)

morgan_greywolf (835522) | more than 7 years ago | (#17890450)

E-mails are not necessarily the sole source of phishing attacks. I seem to remember an attack that involved a piece of malware that changed the user's proxy settings to a proxy that could serve up phishing pages for certain sites. And if I'm not remembering it and it's just an idea I had, then it isn't long before someone does it for real.

Re:Newflash! (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17890228)

Yeesh, you gotta love IT people. Any wonder why the rest of the company is happy to see your jobs packed off to India?

Have you ever seen how that SiteKey thing works? It's hardly a "normal security procedure".

Re:Newflash! (4, Insightful)

gsslay (807818) | more than 7 years ago | (#17890326)

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Here it was the people who led them into the room and stood about with clipboards. People are used to being told what to do by other officious looking people.


On a website all it needs is an official looking statement at the top of the phishing page that says "We are sorry, but our image security is broken just now, please log in as normal while we fix it, thank you." People are used to being told that computer systems are down and they should manage as best they can while they're repaired.


You simply can't regulate for people not willing to think for themselves.

Re:Newflash! (4, Interesting)

Tom (822) | more than 7 years ago | (#17890686)

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority.
Nonsense. We ask people to do things we can't expect them to - understand networking security. What we instead should do - and have been failing to for years - is build systems that are actually useable by human beings with little or no special computer knowledge. Or, if that is impossible (and the proof for that is still out!), insist on basic training as a prerequisite for letting people go online, much like a driving license.

Why is SSL accepted and widespread and PGP isn't? Because PGP requires people to deal with things they don't understand like fingerprints, keylengths and all that other technical stuff. SSL doesn't. If there's a yellow lock icon in the status bar, everything is good, otherwise something is wrong. That's the level that normal people deal with and it's not a fault of them.

You and I are the same, in areas we didn't study. What would you think if your doctor required you to understand every medical detail of that operation you need before he does it? You trust him to know his shit, that's what you pay him for, right?

It's time we earn our pay.

And I speak as a professional security guy. "User education" has failed because we tried to bring users to a high level of technical knowledge, instead of bringing the technical knowledge required down to their level.

Re:Newflash! (1)

Bozdune (68800) | more than 7 years ago | (#17890794)

You missed his point completely. Check out the "Milgram Experiments" (http://en.wikipedia.org/wiki/Milgram_experiment).

Re:Newflash! (1)

Tom (822) | more than 7 years ago | (#17890614)

Phishing attacks work because "security procedures" aren't.

You have formal and informal security. Formal security is long, complicated and tedious. I've yet to see it being used anywhere outside the military. Informal security works for normal people, but it is inherently flawed.

The problem isn't the user. The user is entirely himself. The problem is that we have no way to verify remotely that indeed he is he. All the additional bells and whistles are simply to cover up that simple fact. It's just another level of indirection, see RFC 1925.

Re:Newflash! (1)

pkulak (815640) | more than 7 years ago | (#17890638)

It's not users being idiots, it's users having other priorities. I bet there's an automotive forum somewhere that has a thread of people complaining about how the general population is too stupid to notice slight pinging in their engine on acceleration and realize that the timing is off. It probably has 1,000 replies like "If people are too dumb to figure these things out, they shouldn't be driving." But you know what, I bet if my car started pinging, I wouldn't notice and after a couple months like that I may blow up my engine, or whatever bad happens in that circumstance. Why? Because I'm a geek and my car is just a tool. I want it to work so I can focus on what's actually important to me. That doesn't make me an idiot.

Re:Newflash! (1)

Skater (41976) | more than 7 years ago | (#17890764)

So do you change the oil in your car regularly? How do you know to do that? Hmm...you learned to take care of your car. You want to avoid worrying about it, yet you took the time to learn how to take care of it. Isn't that interesting?

Besides, you should notice a weird noise that your engine is making - you might not know what it is, but why would you ignore it instead of getting it checked?

This is kind of the same thing, to me - people should take some time to understand the security of what they're doing. They don't have to be Bruce Schneier (spelling?), but a few hours isn't going to hurt and may actually help them in the long run. When I do something new, I take a little time to learn about it before diving in.

Sensationalist headline... (2, Insightful)

spicyjeff (6305) | more than 7 years ago | (#17890118)

The SiteKey isn't flawed, the people are.

Re:Sensationalist headline... (1)

Pandaemonium (70120) | more than 7 years ago | (#17890328)

Yes- precisely. This is an education issue, which cannot necessarily be blamed on BoA. Instead, they need to now recognize that their users are not fully understanding this technology, and assist them in understanding phishing. It's not just a consumer issue- it removes money from legitimate hands and from a functioning economy. (heh.).

Re:Sensationalist headline... (5, Insightful)

jalefkowit (101585) | more than 7 years ago | (#17890454)

The SiteKey isn't flawed, the people are.

People are, by definition, flawed. Any security system that is predicated on this changing sometime soon is broken.

Re:Sensationalist headline... (0)

Anonymous Coward | more than 7 years ago | (#17890464)

No person is perfect, nor is any system perfectly secure. Online banking is, always has been and always will be, a bad idea. Such has been proven many times over and will be again. Laziness and greed are both directly responsible for its use and promotion. Not claiming expertise here, just observation and rational critically applied thought to come to my opinion of the facts as I know them. There has already been a lot of hits on the banking system and people's accounts, it's possible that in the near future there will be a huge programmed hit on banks online systems throwing them into chaos. It might even start a war. Being as many of you support yourselves in this field and many more of you transact business online I guess I should sign this:

--Chicken Little--

Re:Sensationalist headline... (1)

gsslay (807818) | more than 7 years ago | (#17890542)

People are an integral part of the SiteKey system, it's pointless without them. If their flaws are not removed by the total functionality of the system, then the system is flawed.

Not that I think anything will ever be able to claim 100% success in this. But arguing it's not a problem with SiteKey, but with people, is kind of like making a powertool for three hands then arguing it's a people problem that no-one can use it correctly. You knew before you started people's limitations.

I wouldn't say that it is flawed..... (1)

danrik (568865) | more than 7 years ago | (#17890128)

Just that the users are flawed, and need to be better educated. I think it is an excellent tool, and I make damn sure that I verify my sitekey before I enter my password. No matter how clever your schemes are, if the users are too clueless or apathetic to make use of them, they will be ineffective.

meh - controlled environment? (5, Insightful)

hashmap (613482) | more than 7 years ago | (#17890150)

1. go to an unusual place,

2. sign an agreement form,

3. follow instructions that say: "Log into your account"

4. you're aware that people are watching you and will analyze what you did

whatever results they get do not prove anything other than:

People placed in a unfamiliar, controlled environment with Harvard scientists ogling at them will not check the security image.

h

Re:meh - controlled environment? (2, Insightful)

seanadams.com (463190) | more than 7 years ago | (#17890202)

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all.

Biased sample? (5, Insightful)

ArsenneLupin (766289) | more than 7 years ago | (#17890700)

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all.
You may be on to something here. Maybe most people who they did ask refused to participate... phearing that the entire experiment might be a setup trying to get at their banking passwords.

The few that did participate where either excessively trusting or clueless, making them more likely to not worry about the missing image either.

In a word, they used a biased sample.

Re:meh - controlled environment? (1)

spurdy (590954) | more than 7 years ago | (#17890296)

I have to agree. If I participated in such a study, I would assume that the system was secure and would go ahead and login, even if things don't look like normal. To assume otherwise, you'd have to think the researchers were trying to scam you, and if I thought that, I wouldn't participate in the first place.

Re:meh - controlled environment? (1)

aadvancedGIR (959466) | more than 7 years ago | (#17890490)

He! I din't realized it until I saw your post, but this is a great physing technique, using less target but with a exceptionaly big hit ratio: just preted to be a scientist making reserches on security and ask all the participants to enter their passwords.
It may not work in the long run, but it could definitely work.

Re:meh - controlled environment? (1)

UbuntuDupe (970646) | more than 7 years ago | (#17890576)

You know, that made me think about another way the results are biased:

Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 1: What? Are you insane? No way!
Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 2: Um ... no?
Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 3: Sure, how much are you paying?
Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 4: Hey, whatever.
Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 5: OOOOH! Sounds like fun!
Scientist: Alright, the three of you come with me.

Re:meh - controlled environment? (1)

dcavanaugh (248349) | more than 7 years ago | (#17890756)

Ah yes, the good old "Help us with a security study" scam. Perhaps you even get a free iPod for participating. All it takes is a fancy domain name, like nationalcenterforbankingsecurity.org It would probably work much better than the unimaginative phishing tactics that are commonly used today.

For as long as I can remember, the concept of spelling and grammar remains a central weak point of spammers. I sometimes wonder how much of the spam and phishing problem could be defeated by automated spelling/grammar checking.

Re:meh - controlled environment? (0)

Anonymous Coward | more than 7 years ago | (#17890724)

Yeah. It would be a lot better if they used some technology
to watch over your shoulder at your home or place of business without you knowing it.
All in the name of security.

Seriously, at least they are questioning the effectiveness of this and not
just taking the bank's word for it.

They use SSN for login name (0)

Anonymous Coward | more than 7 years ago | (#17890156)

This from a site that uses SSN for a login is completely shocking! Shocking I tell you!

Re:They use SSN for login name (1)

OldeTimeGeek (725417) | more than 7 years ago | (#17890292)

Um, no they don't. Maybe one of the banks that NationsBank acquired before BofA had used one and they've chosen to retain it, but my long-standing BofA account's login isn't a SSN and never has been.

It works for me... (3, Insightful)

John.P.Jones (601028) | more than 7 years ago | (#17890168)

You can lead a horse to water but you can't make them pay attention to security concerns...

The BofA login is helpful to me, I fully expect to see my login token when I login to my account and would not login if I didn't see it. Some people won't pay attention and there isn't ANYTHING that BofA could do to prevent that (that isn't outrageously inconvinient for me.)

Re:It works for me... (1)

NtroP (649992) | more than 7 years ago | (#17890514)

I fully expect to see my login token when I login to my account and would not login if I didn't see it.

I agree. I also like the images being there when I log in. That being said, I have a dozen other accounts that do NOT have this - instead just have either the normal username/password pair or sometimes just username, with password being prompted for on another page, but no pictures (I have no Idea why).

Although I take security very seriously and almost never go to my banking sites when I'm not on my own computer, clicking on my own bookmarks, on a non-IE bowser -- I'd have to admit that I might not notice it was missing either. If you put me in a different place, on a different computer, allowed me to type in my BofA URL, hijacked DNS and sent me instead to your impostor site and just gave me the standard username/password bit and left the Image off, I may not remember that BofA had a sitekey. If ALL my other accounts had one, I'd be alerted, right away to it's being missing. As is is now, when I click on BofA, I often go "Oh yeah, I have to watch for my picture...". I usually don't remember it until AFTER they ask for it.

I don't think SiteKey is flawed on it's own, I just think it would be more effective if 1) more sites used it and 2) you could upload your own picture (so they'd all be the same, or at least recognizably one you took, etc. - If not, I'd NEVER remember what my picture was supposed to be. Without logging in to BofA, I couldn't tell you what the picture is. I've changed it a couple of times. But I'd know it if I saw it :-)

Security Only as Good as People who use them (1)

creativity (885623) | more than 7 years ago | (#17890182)

The premise of the study being people enter the passwords even if they do not see the image is dumb. That's like saying I buy top of the line RSA encryption but provide other my key or i buy a safe and do not lock it. If people are stupid enough to enter passwords on public terminals without even using the most primitive security systems they deserved to be robbed. The BOA system is primitive but depends on people using some common sense. Having said that, I am not big fan on captcha like security systems, install a trojan monitor the images for a month, ship it back to mother ship and lo behold you have a phishing site personalized just for you.

Cookies (1)

joeware (672849) | more than 7 years ago | (#17890186)

> The banks often drop a small software program, called a cookie, onto a user's PC to associate the computer with the customer. Since when are cookies software programs? I wish the media would stop perpetuating misinformation about cookies.

SiteKey is not to protect customers (4, Insightful)

sexyrexy (793497) | more than 7 years ago | (#17890188)

It's to protect Bank of America from liability. If someone's account integrity is compromised due to phishing, the bank's ass is covered - they implemented a two-way authentication, the user just chose to ignore it (after indicating they read and understood the terms and function of the SiteKey)

Re:SiteKey is not to protect customers (1)

darkrowan (976992) | more than 7 years ago | (#17890304)

*DING DING DING* And we have a winner. Sitekey is more about CYA than security. This study only proves that to be the fact.

Re:SiteKey is not to protect customers (1)

edunbar93 (141167) | more than 7 years ago | (#17890632)

You underestimate the power of stupidity. This study only proves two things that those in the security biz already knew: 1) users don't give two shits about security, and 2) users are the weakest link in the security chain.

Study concept seems lacking (1, Insightful)

reyalpdemannu (1054910) | more than 7 years ago | (#17890192)

So they brought 60 people into a room, told them to use their bank account, and then got surprised when they actually did?
I am going to bring 60 people into a room, present food to them and tell them to try it, and then publish a study about how they failed to notice the lack of a Health Department certificate in my building. Then I'm going to write into Slashdot about it.
In my mind, there is a better way to conduct a study about banking security than to bring in 60 people and instruct them that the entire purpose of their visit is to log in to their bank account when they sit down.
But I, for one, welcome our SiteKey overlords.

People are not "Flawed" (4, Insightful)

jmagar.com (67146) | more than 7 years ago | (#17890222)

Those of you stating that the problem is with the users are somewhat mistaken. At some point we as an industry are going to have to get more professional and stop blaming the users for all of the system problems. Let's take a new approach: include this requirement in your designs: A user may not understand the whole system, much in the way that you don't understand all the inner working of your automobile. A user of the system is not required nor expected to understand how it works.

Now, go forth and design systems that work, instead of blaming your design failure on the user.

Re:People are not "Flawed" (1)

Aladrin (926209) | more than 7 years ago | (#17890392)

I can see both sides of this. Providing the pics enables customers to guarantee their security. But the very kind of attach this is meant to prevent can very easily get around it by simply not displaying the 'if you don't see the picture' text and picture at all.

So the challenge is to come up with a solution that requires the user to react properly and cannot be faked by a man-in-the-middle attack.

This solution obviously doesn't work. A captcha obviously doesn't work, as criminals can simply decode those by eye/hand. Slower, but possible.

So what WOULD work? I can't think of anything except forcing the customer to call a phone number and tell them the IP they will be coming from. Maybe there's a crypto way to send information and have the IP as a vital part of the that information, so man-in-the-middle doesn't work?

Sounds to me like SSL is just about as good, as it already warns the user that the other side is or isn't who they claim to be.

Re:People are not "Flawed" (1)

jmagar.com (67146) | more than 7 years ago | (#17890716)

If you care to ensure that the system is secure then you should really use best practices: Key Fob [wired.com]

RSA login fobs have been around for many, many years, and I am not aware of a better system.

People ARE "flawed" (0)

Anonymous Coward | more than 7 years ago | (#17890496)

If someone doesn't bother to learn how to drive a car, and drives it off a cliff because they didn't know where the brake was, guess what? It's the person's fault, not the car's. These banks have built in a security feature, and if people don't actually read and learn to use it, it is their fault.

Ok. (0)

Anonymous Coward | more than 7 years ago | (#17890528)

any suggestions? how do you ensure users only login to your site, and not one designed to look like yours? This design was created not to help the bank compute its interest for all of its accounts faster, but to try and help users make better judgments.

My idea? I think they should give up on HTML web based UI's. People click on links from any sort of untrusted source and then login. If you had greater control, but making all of the interactions take place through a separate application outside of the browser you would have more control and protection for your users. No web interface at all. Two phase authentication required. Use public, private key combos. it would be less convenient as you couldn't do banking from your neighbor's computer or what not, but you really shouldn't be doing online banking on untrusted computers anyways.

Re:People are not "Flawed" (1)

chinton (151403) | more than 7 years ago | (#17890552)

Yes they are. Right below my SiteKey is the following instruction:

If you don't recognize your personalized SiteKey, don't enter your Passcode.

What they heck else is BofA supposed to do if their users cannot follow the most basic instruction. This has nothing to do with knowing the inner workings of your automobile or BofA's system. They don't have to. They need to be able to read and follow a simple instruction (which was explained fully when they set up their SiteKey to begin with).

Re:People are not "Flawed" (1)

Daemonstar (84116) | more than 7 years ago | (#17890694)

The problem isn't that that users "don't understand all the inner workings" of the site (because they probably shouldn't), it's that they can't follow security (or operational) procedures.

People are expected (and required) to pass a test given by the State to see if they can safely operate a vehicle. They're not required to change oil, swap out spark plugs, or install a sound system. They're supposed to already know how to get in, start the vechicle, put on safety belts, and operate the vehicle according to law. This includes not leaving the keys in the vehicle and locking the door (yes, some States have traffic laws against leaving your keys in your vehicle and not locking your vehicle).

545.404. UNATTENDED MOTOR VEHICLE. An operator may not leave the vehicle unattended without:
(1) stopping the engine;
(2) locking the ignition;
(3) removing the key[0] from the ignition;
(4) setting the parking brake effectively; and
(5) if standing on a grade, turning the front wheels to the curb or side of the highway.

Acts 1995, 74th Leg., ch. 165, 1, eff. Sept. 1, 1995.
People should know how to operate the computer and use web sites (operational and security), but not necessiarly "understand all the inner workings" of the PC or website. Basic security should be known by the computer operator; failing to take appropriate security precautions (seeing if the image was there in this case) is the fault of the user. If it was a flaw in the site, then that's one thing, but this security procedure required the vigilance of the operator.

No security is perfect (door lock, captcha, AACS, etc.) because there is always a way around it, usually people.

Re:People are not "Flawed" (1)

ei4anb (625481) | more than 7 years ago | (#17890710)

if "you don't understand all the inner working of your automobile" then you must be new here.

Can't it be thwarted anyway? (0)

Anonymous Coward | more than 7 years ago | (#17890226)

Couldn't a phisher just set up a proxy to the Bank of America site? Then they could provide the proper identification image, and still steal their log in information from them.

BoA ppor implementation (1)

redelm (54142) | more than 7 years ago | (#17890242)

BoA relies upon persistant cookies to determine whether to send the sitekey image. If you don't have that cookie (clear or other machine), you have to enter your passwd to get the sitekey. Rather rediculous, but they don't want to be trolled for keys.

Re:BoA ppor implementation (0)

Anonymous Coward | more than 7 years ago | (#17890414)

This is not correct. In case the cookie is not found, you're prompted to answer a security question. If you answer correctly, you are still prompted for your regular password on a page that shows your sitekey.

Re:BoA ppor implementation (1)

skis (920891) | more than 7 years ago | (#17890630)

If you don't have the cookie, it has you answer your secret question. After that it will bring up the SiteKey page where you enter your password.

You really expect security from these people? (1)

basketcase (114777) | more than 7 years ago | (#17890250)

Let me get this straight...
They grabbed a bunch of BofA customers and convinced them to do routine banking functions using their bank accounts IN FRONT OF STRANGERS and you really expect them to be concerned about security? They already gave up any chance at being secured when they agreed to participate.

This is like asking if you can study someones ATM usage by looking over their shoulder and then telling them they failed because you now know their PIN number.

not the most useful study (1)

jdwclemson (953895) | more than 7 years ago | (#17890258)

First of all, the behavior people display during a study would be highly skewed from normal day to day behavior. To really make a determination of this, something less deliberate would need to be done. Most people in this study would go ahead just for the purpose of being agreeable. I know I would be hesistant to screw over a Harvard study if I was participating in it. On another note, I have many times wondered what would prevent a phishing site from asking bank of america for the site key based upon the entered SSN. How can bank of america know the phishing site from the user?

Re:not the most useful study (1)

Liselle (684663) | more than 7 years ago | (#17890448)

How can bank of america know the phishing site from the user?

I hate to defend SiteKey, because it's a piece of shit, but BoA knows the user from the phishing site because any time a new IP address tries to access the image, the authentication does not include the SiteKey picture and instead asks the usual security questions.

Of course, BoA may have screwed the pooch on this one as well, so you never know.

Fishy? (1)

gEvil (beta) (945888) | more than 7 years ago | (#17890260)

The error message also had a conspicuous spelling mistake, further suggesting something fishy,.

I'm beginning to wonder if this article actually appears on the NYTimes website...

As a BOA customer... (1, Informative)

porkThreeWays (895269) | more than 7 years ago | (#17890270)

I can say sitekey is the most useless piece of junk meant to make my life harder. It's one of those pieces of security that sound good to PHB's but is retarded in practice. Other banking notables? Linking your ip address to your bank account and activex controls that won't let you in until it's verified you have antivirus software installed. Get with the program guys. Half baked schemes to make online banking "safer" rarely do so and in many cases make it less safe.

Give me an online banking system with a good old fashioned username and password and I'm set.

Re:As a BOA customer... (1)

WhiteKnight07 (521975) | more than 7 years ago | (#17890780)

"Give me an online banking system with a good old fashioned username and password and I'm set."

In that case give Washington Mutual a try. I'm been using their online banking for several years now. All it asks for is a user name and password. Although if you get your password wrong 3 times it locks your account and you have to physically go to the bank to unlock it. Rather annoying but at least I know my account won't be brute forced. Their site even plays nice in Seamonkey/Firefox on Linux.

Re:As a BOA customer... (2, Interesting)

Rodness (168429) | more than 7 years ago | (#17890790)

I wholeheartedly agree. I am also a BofA customer, and while I have enjoyed a great banking experience with them, the SiteKey thing managed to piss me off. A year ago when they rolled out this crap and I was forced to sign up for it, I ranted on my blog about it. Here's an excerpt:

Bank of America has unrolled this stupid SiteKey thing, which just doesn't benefit the consumer much. It seems to be a way for them to have more plausible deniability without actually taking on any responsibility.

The idea is that you choose a little picture for your account, and the website saves a cookie on your computer. If you try to log into your bank account, and your browser has a valid cookie, the website will show your SiteKey picture.

If you recognize your SiteKey, you'll know for sure that you are at the valid Bank of America site. Confirming your SiteKey is also how you'll know that it's safe to enter your Passcode and click the Sign In button.

If you don't have a cookie then you're prompted with personal challenge questions that you have to answer in order to see your SiteKey picture. At that point if the right SiteKey picture shows up, you "know it's safe" to enter your actual password.

If I connect from a new computer, I basically have to enter a challenge response (password) before I can enter my password. It's simply a way for the bank to prove that they're the legitimate site, and that I'm not being phished. It doesn't actually authenticate me to the bank in any stronger way, since if an attacker knew the challenge answers and my password, he can still log in as me from anywhere. Granted, now he has to know more information, but it doesn't put it outside the realm of possibility. There will still be idiots who get phished and happily input their challenge, ignore the bogus SiteKey, provide their real password, and then find out all their money has been harvested away.

What really bothers me about it is that they're making it look like they care about security, but this is just another way for them to force the vigilance onto the consumers while providing themselves more loopholes to escape liability. It's another hoop that the consumer has to jump through, but it doesn't increase the responsibility on the bank's side of things. We need our government to make the financial institutions liable when their systems are exploited, instead of allowing them to blame the consumers, many of whom just aren't geeks and simply don't know any better. When it's an economic problem for the banks, then it will matter to them.

The Real Question is... (4, Informative)

Expertus (1001346) | more than 7 years ago | (#17890302)

when will these 'researches' be arrested for pointing out flaws in a security system.

Seems like they missed the point... (0)

Anonymous Coward | more than 7 years ago | (#17890332)

Agreed that the problem with this study was the users and the setting, not that part of BofA's system, but the system certainly seems flawed in another fundamental way. I'm surprised the study didn't primarily focus on that.

All a site has to do is fetch your "sitekey" and present it to you no? And it makes phishing attacks even more legitimate seeming.

Specifically:
1. Users gets lured into phising attack goes to fake BofA site
2. User enter username
3. Phishing site takes username, enters it in real BofA site, gets SiteKey
4. Phising site presents SiteKey to faked out user and collects password... done...

Seems very lame. Sure, there are IP address issues for the phishers but they could spread out the load using a farm of IPs.

Anyway, this study make me think that you combine a basic, (very basic) bit of security into a site and people suddenly think it's foolproof. I think the banks are just going to have to consider using two-factor auth a little more .

The best solution I've seen is. (1)

oliverthered (187439) | more than 7 years ago | (#17890334)

My banking site only asks a password and part of a second password (e.g. the 5th 3rd and 7th letters) that way if a fisher grabs part of the password and can't use it to login on the real site as it will probably ask for a different combination of letters.

You can not tech them how to live (1)

Boron55 (1060136) | more than 7 years ago | (#17890350)

There was a lady in our office (long time ago) who was excited about everything all the time. When our network admin gave her a new password, she was so excited, that she cried it out loud in front of everybody. Well, admin was really upset and told her everything he was thinking about her. Then she told him with an innocent expression: "Why can not you teach me this security practices?" He replied: "I can not teach you how to eat, mate or live." So related to Bank of America customers, if they do not care about the security - it is their fault. If they start crying their passwords out loud - it is their fault. It is a common sense, like eating, avoiding poisons, not hurting yourself. You can not teach the grown-up how to do those things. It is their sole responsibility, and not a fault of the Bank.

you have succeffully logged out! (2, Informative)

IceFox (18179) | more than 7 years ago | (#17890390)

This coming from a bank who's website frequently goes down and when clicking links within my accounts page will suddenly (and randomly) tell its users how they have "successfully logged out" without a link to the main page to re-login and continue. And lets not forget the determination to automagically remove bank statements after six months and yet at the same time keeps pestering its users to cancel their paper copies. I would have to say that Bank Of America is the perfect example of how not to run a banking website. Every time I call their tech support I am costing THEM money.

Poorly designed populace (1)

analog_line (465182) | more than 7 years ago | (#17890396)

Basically, this method of security fails when people don't care about their security. This is a problem?

Security requires active checking to make sure a security measure is in effect. If you don't check to see if your padlock was secured, it's not the lock maker's fault if someone unhooked the unlocked padlocked and stole your stuff.

Actually this is worse. The lock maker damn well isn't at fault IF YOU DIDN'T CHECK THAT IT WAS YOUR PADLOCK.

A Much Better Idea (1)

CleverFox (85783) | more than 7 years ago | (#17890404)

A much better idea that would foil keyloggers is to present a user with a matrix of 3x3 or 4x4 pictures of animals and have users choose a password of three animals where they always click on the same animals in the same order. With random presentation of the animals it would make it impossible for anything other than video capture to steal all the information necessary to get into my account.

This crud where they ask you for the last four digits of your SS# in addition to your password does little to prevent a keystroke logger from recording that response as well and leaving me wide open to criminal use of my account.

In the numbers (1)

loafing_oaf (1054200) | more than 7 years ago | (#17890418)

Even if a phishing site displayed only one of the actual available images, they would net victims using that image. It only takes one in a million to make the scam worthwhile.

Bank of America's system also has you provide a caption when you choose a picture. The caption is much better security than the limited set of images.

It's more secure than you think (0)

Anonymous Coward | more than 7 years ago | (#17890444)

When B of A switched to site key, my online account broke. It hasn't worked since, despite 15+ calls to tech support. Usually they say they will call back when they fix it and never do. It's only half bad. Since it is broke, I suspect it is very secure and nobody else can access it, either.

The system is actually technically flawed (4, Informative)

jyoull (512280) | more than 7 years ago | (#17890468)

Discussion and links to papers here:

http://bbaadd.com/blog/2006/08/security-why-siteke y-cant-save-you.html [bbaadd.com]

This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.

Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.

Re:The system is actually technically flawed (1)

richg74 (650636) | more than 7 years ago | (#17890702)

Just for clarification, the last two paragraphs in the parent (from "This overview ..." through "... stop online fraud.") are quoted from the abstract at 'bbaad.com'. The "original paper" referred to is available here, as a PDF. [cr-labs.com]

One point bears repeating. The articles refer to Bank of America, but this applies to all sites that use similar mechanisms, such as Vanguard (mentioned above) and Yahoo!.

It's also worth noting that the large majority of users in the experiment ignored the absence of the SSL "padlock" indicator.

sitekeyisdumb (1)

jordan314 (1052648) | more than 7 years ago | (#17890500)

My BoA sitekey is "sitekeyisdumb", because it really is. I hate it. I chose a picture of two people hanging from a parachute. I like to picture them stuck hanging somewhere, similar to how I feel when going through the sitekey process, dumb and stuck. Sometimes I'll fail my own sitekey security questions when it doesn't recognize my IP address. Now that you have all that additional "secure" security info from me, try hacking my account. Good luck. It's totally useless.

What happened to personal responsibility? (1)

moracity (925736) | more than 7 years ago | (#17890502)

If I setup a "lemonade-stand" labeled "B of A Deposits" in my neighborhood and tell people they can make deposits with me instead of going to the bank, should the bank be held responsible if some people actually do it? At some point, people have to take responsibility.

No online banking security measure that is put in place is ever going to stop stupidity. This is the type of thinking that keeps people voting for Democrats. Too many people don't want the responsibility of taking care of themselves. They want someone else to do it so they can blame someone else when it goes awry:

Can't get a job? Here's some unemployment!

Don't want to pay up for health insurance? Here's some for free!

Don't want to save for retirement? Here's some social security!

Unmarried and have 4 kids with 4 different fathers? Spent all your money on Dolce&Gabana and plasma TV's? Here's some food stamps to feed your kids!

Re:What happened to personal responsibility? (1)

tomstdenis (446163) | more than 7 years ago | (#17890666)

... yeah replying to flamebait ...

Anyone who thinks social welfare is a complete waste of effort has obviously never had been given a pink slip, or still lives with mommy and daddy. When you got bills to pay and your employer decides to give you the boot it's nice to know that you're not facing the street at the end of the week.

Granted it gets abused, but that's why you enforce policy not cut people who need it off.

Though yea, generally if you don't take reasonable steps to ensure your safety, you're kinda asking for trouble. Not to say phishers aren't criminals, but if you sit there and just hand them your money you don't deserve insurance reimbursement.

Tom

It could be improved... (0)

Anonymous Coward | more than 7 years ago | (#17890508)

Instead of choosing an icon from a list, perhaps the user is required to upload a picture and a description of it. Anything would do: a person, animal, car, etc. The uploaded picture would become a very prominent part of the site during the login process. Instead of choosing an image from a list of possibilities, the site would be structured in such a way that the lack of user-provided photo is painfully obvious. Even the site's foreground/background color schme would be determined by the color content of the picture.

SiteKey Explanation insufficient. (2, Interesting)

Marc_Hawke (130338) | more than 7 years ago | (#17890544)

The problem is that it wasn't introduced well.

If someone is already familiar with the concept, then it makes sense. However, for most people, the explanation was an annoyance and a confusion one time when they logged in, and the rest of the time it's just an extra click before they can enter their password.

I have two banks that use that scheme for authentication. On both of them, one day they just popped up a picture and said, "what is this picture?" So you make a guess as to what is shown in the picture, and hope you guessed right.

On subsequent logins, they fill in your guess for you, so it seems ridiculous that they are asking what that picture every time.

Since the explanation was lost on most users, it's not surprising that they don't care that it's different.

Infact...if you just make a site that popped up a random picture and asked them to name it, I'd expect everyone would fall for it.

This isn't about customers being lazy or stupid, (well not always.) It's about the SiteKey deployment being inadequate and there being insufficient explanation for something that customers have never heard of before.

"It's the users, not the system!" syndrome (4, Insightful)

Brown (36659) | more than 7 years ago | (#17890550)

There're a number of comments saying things along the lines of:

..the system itself is not flawed, but the way the users choose to operate on it

Enhanced security measures thwarted by stupid users. More at 11!

The SiteKey isn't flawed, the people are.
It's a common error to ascribe problems with usability to 'idiot users'. The real problem is software that's designed for the wrong target group (experts, where it should be everyman) or just badly designed, confusing or poorly explained interfaces. The fact is, this system *has* to be designed to cope with clueless users. If it's only safe for use by people with an IQ over 100, then half the population will be at risk!

co3k (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#17890776)

bureaucrATic and

My bank... (0)

Anonymous Coward | more than 7 years ago | (#17890778)

..Though not BoA, has implemented basically the same damned thing. You pick an image, and if you don't see/it isn't your image when you go to log in, you don't log in.

My mother understood this without issue. My mother is a person who called me several times asking about a 'blinking light' on the front of her computer. The hard drive activity light.

Flawed? Emperor's new snide remark?

No security system will ever be idiot proof. If people are logging in despite not seeing the image they selected, the problem exists between the chair and keyboard.

Can lead a horse to water... (1)

shoptroll (544006) | more than 7 years ago | (#17890784)

If users don't know how to properly use the security features provided to them, is that a system failure or a user failure? That's like blaming Linksys for someone hijacking your router because you didn't change the default router password nor did you setup any form of encryption on your 802.11.

This reminds me of a training day for my workstudy job where one of the higher ups in the IT department talked about a survey done where they offered people a cookie for their password. At least 50% of the people in that study were willing to give up their password for a cookie.

Browser data (1)

kebes (861706) | more than 7 years ago | (#17890786)

Totally tangential to the actual topic of the study, but I noticed that in the details of the study [usablesecurity.org] they interviewed the people about their normal computer habits. They state:

28 participants (42%) reported using Microsoft Internet Explorer as their primary browser, 30 participants (45%) use Mozilla Firefox, 7 participants (10%) use Apple Safari, 1 participant (2%) uses Opera, and 1 participant (2%) uses an unspecified browser. Of the 39 participants who did not use Internet Explorer as their primary browser, 28 (72%) use Internet Explorer as their secondary browser.
The reason I find this interesting is that frequently we throw around statistics from web-site access, and people will complain "well you can't use stats from site X because that site will inherently have more [geeky/non-geeky] users and hence skew the results" (a valid complaint, of course). The above statistics are (reportedly) a random sampling of Bank of America customers with online account (no selection based on computer expertise, etc.).

The above stats suggest that Firefox usage may be even higher than previously suspected. Obviously this sampling of 67 people is not exhaustive and may not be generalizable, but I was quite surprised when I saw those numbers.

The site key is not in itself flawed... (2, Interesting)

angelwalkwithme (984267) | more than 7 years ago | (#17890802)

The site key is not a bad idea for those users who actually use it, but yes most people aren't paying attention. But I think it really ignores the more obvious solution. This is to frequently remind users to NEVER CLICK A LINK THROUGH E-MAIL. Type the website into your browser every time and you will never have this problem. I would put this scam in the same category as phone fraud phishing; most people know that you're not supposed to give your SSN or Bank Numbers when somebody calls you. This should raise suspicion immediately. I think the same approach for the internet is the best that we can hope for. Educate, educate, educate.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...