Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Boarding Pass Hacker Targets Bank of America

kdawson posted more than 7 years ago | from the augmented-man-in-the-middle dept.

Security 160

Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.

cancel ×

160 comments

Sorry! There are no comments related to the filter you selected.

Crux (4, Insightful)

Billosaur (927319) | more than 7 years ago | (#18703197)

Why does BoA allow users to get access to their SiteKey image after answering her security questions? The reason is simple. Normally, BoA knows to present the right SiteKey image to a user because it recognizes the computer that user logs in from as belonging to the user in question. This is done using secure cookies. But what happens if there are no cookies? Say that the user wants to log in to her BoA account from a computer that she has not successfully used to connect to BoA's website with before. Before sending the SiteKey image to the user, BoA will require the user to provide some evidence of her identity - the answers to the security questions. Once BoA receives these, and has verified that they are correct, then it will send the user's SiteKey image to the user. That allows the user to verify that it is really communicating with BoA, and not an impostor, which in turn, provides the user with the security to enter her password.

This is the loophole that we use in our demonstration. Through deceit, we convince the user to enter her security question, and thus get the SiteKey image.

No matter what kind of security system you devise, you cannot take out the human element. The Internet seems like magic to people - it knows them, it knows things about them, people can find them from all over the planet. The average user is not curious enough to learn how this is accomplished, paranoid enough to distrust anything at first glance, or savvy enough to protect themselves. Bank of America is kidding itself if it thinks the SiteKey is any kind of deterrent to a hacker.

Re:Crux (4, Insightful)

Anonymous Coward | more than 7 years ago | (#18703421)

Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.

Re:Crux (5, Insightful)

mypalmike (454265) | more than 7 years ago | (#18703729)

Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.

Exactly. The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

Re:Crux (0)

Anonymous Coward | more than 7 years ago | (#18704347)

If I manually enter the correct URL in my browser , that of the real entity
then I must also be infected with something to reveal private data to another
these are quite big if's to those who are savvy If they never followed links in an Email or mistype a close hacker crafted false URL to the bank , What chance is there of being Spoofed if have no type of Trojan infection and type the correct URL?

Re:Crux (0)

Anonymous Coward | more than 7 years ago | (#18704529)

Also remember DNS hacking/redirection can play a role in this.

Blinking text Banner Ad: Speed up yer internets! Just use our dns which will increase your speeds!

Like most things, this is not exclusively a technical problem.

Re:Crux (0)

Anonymous Coward | more than 7 years ago | (#18704879)

That is a very good point It is difficult to make folks understand how dangerous it is to download seemingly benign programs, that have dangerous functions not even closely related to their other intended function(s)

But we also have too many people that think a program only does what they can see while its visual aspect can have nothing to do with what else is does

Re:Crux (3, Informative)

toleraen (831634) | more than 7 years ago | (#18704889)

What chance is there of being Spoofed if have no type of Trojan infection and type the correct URL?

vi C:\windows\system32\drivers\etc\hosts
i 192.168.1.100 www.mybank.com
:wq

Re:Crux (2, Funny)

mypalmike (454265) | more than 7 years ago | (#18705721)

C:\> vi C:\windows\system32\drivers\etc\hosts
vi: command not found. ;)

Re:Crux (1)

toleraen (831634) | more than 7 years ago | (#18705915)

Sounds like you need to update your path =P

Re:Crux (1)

freeweed (309734) | more than 7 years ago | (#18705753)

I'd volunteer that your little script is by definition a trojan. Certainly would be delivered by one, at the very least.

Re:Crux (1)

toleraen (831634) | more than 7 years ago | (#18705945)

Or just physical access.

Re:Crux (1)

porkThreeWays (895269) | more than 7 years ago | (#18705245)

Banks want more complicated authentication. Consumers want simpler. Guess who's winning? The right answer isn't making consumers jump through a bunch of hoops to get into their account. The added complication just makes it easier for the human element to be fooled. If they made simple clean dedicated sites just for the online banking portion, I don't think this would be 1/10th the problem it is. For example, I can have to authenticate myself up to four times to get onto the BOA online banking site. All the while flash ads of their new products barrage my senses when all I want to know is if a check cleared or not. In that process I don't pay attention to site key because it's just one more thing getting in the way. In fact, even as a very educated computer user I pay no attention to their complicated process for the very fact it is overly complicated. If computer professionals don't pay attention what hope does the average user have?

In all reality the online banking world is getting worse than it is better, and their gut reaction to create more hurdles to authentication is just making the problem worse.

Re:Crux (4, Insightful)

hackstraw (262471) | more than 7 years ago | (#18705323)

The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

The deceit is simply a man in the middle attack, and we all know this is not a new thing.

I'm a BOA customer, and I've been upset with their security for years, but it keeps getting better, which is kindof a problem in itself.

Some history here. BOA's main website: http://www.bankofamerica.com/ [bankofamerica.com] was only recently redirected to a https server. In fact, until recently if you even typed https://www.bankofamerica.com/ [bankofamerica.com] you got an error message. Before doing the basic thing like moving the http server to a https server, they introduced this site key junk.

OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ [bankfoamerica.com] by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.

When I go to a supposedly real BOA branch on say Main Street in YourTown, USA, there are a number of things that makes me believe its real. There are other people in there, many of which are wearing BOA nametags, and the BOA logos and stuff are all over the outside and inside of the place. Also, its expensive and difficult to put up a fake BOA storefront, and the liklihood that a fake one will generate any profit w/o getting caught is about zero (otherwise they would exist!)

Now, how much would it cost me to put up a bankfoamerica.com site? How about 15-20 of them with different typos? How much easier is it being that they can exist anywhere in the world or even outside of the world on a sattelite in space even? How hard is it to generate all of these things that look exactly like the real site w/o a secure certificate behind them to boot? Now, being that BOA changes the website all the time, AND its not on a secure server, how am I supposed to know that I'm even dealing with the same people each time?

My problem is not with BOA identifying me, its with me identifying them. So, they add site-key and all of this crap, which puts the burdon of identifying them on me, which is backwards, especially when they keep changing the rules.

When I worked in a hospital, they talked repeatedly about "universal precautions" with respect to things like AIDS and whatnot. There needs to be a set of universal precautions for doing secure transactions on the internet, and there are none.

Re:Crux (2, Insightful)

fishbowl (7759) | more than 7 years ago | (#18705439)


>OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its
>asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ [bankfoamerica.com]
>[bankfoamerica.com] by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.

You are not supposed to! You should change banks. I would, (and have). Now I use a credit union whose IT is managed by a Math/CS professor who is well known in cryptography circles. I also use USAA, which I highly recommend to people who are eligible. (It bothers me that people leave the military and don't bother to get grandfathered into USAA; it's one of the best perks they offer.)

Re:Crux (1)

SCHecklerX (229973) | more than 7 years ago | (#18705489)

Indeed.

Just today my bank (USAA), who have already:

  1.    
  2. Forced me to start using a PIN in addition to my login credentials

  3.    
  4. Forced me to pick a username and start using that instead of my USAA number


today forced me to answer a 'security' question in addition to the above "Who was your first employer".

None of this really adds to the security of my account, and is quite annoying.

If banks *REALLY* want to take security seriously, why don't they issue client-side SSL certs??? If I can get small stores who order products from a manufacturing company to figure this stuff out with a client SSL management portal, then CERTAINLY a BANK can get it right too?

If SSL certs are too 'difficult', then go the RSA fob route. That can get expensive and difficult to manage, though.

Re:Crux (0)

Anonymous Coward | more than 7 years ago | (#18706373)

You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.
Securid doesn't authenticate a computer; it "proves" that someone or some computer has some degree of access to a particular Securid token. The computer could be riddled with spyware (maybe just a Greasemonkey script that knows how to transfer money to a Swiss bank account). Hell, if it's a display-only Securid (token with an LCD display whose digits change periodically), it might be sitting in a room all by itself while its "owner" is out for a swim and someone else is watching the Securid with a video camera.

I Can't .. stop .. myself (3, Funny)

slashbob22 (918040) | more than 7 years ago | (#18704411)

Rather, I think the insightful thing to say here is that you don't gain security by adding arbitrary hoops for your consumers to jump through, but by implementing a real authentication protocol.
You are coming to a sad realization, Cancel or Allow?

Re:Crux (5, Interesting)

slashdotmsiriv (922939) | more than 7 years ago | (#18703795)

This is an obvious attack against the BoA authentication system. Anybody with basic knowledge of networking, authentication systems and phishing
methods should be able to figure out almost immediately how to defeat this system.

At first, I myself was also very critical of BoA's new anti-phishing technique. However, after some more careful consideration, I realized it is very arrogant for somebody to think that BoA's security team did not think of this problem themselves. Unlike security researchers (including moi), which usually try to create bulletproof security systems so they can right interesting papers with indisputable arguments, financial organizations are constrained by the very real issue of cost-efficiency.

Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks. BoA's security team must have figured out that it would cost them X amounts of money to defend against classic phishing attacks and by preventing those they would save Y money. They must have also considered solutions like the ones presented in http://people.deas.harvard.edu/~rachna/papers/secu rityskins.pdf [harvard.edu] , which uses http://en.wikipoaedia.org/wiki/Secure_remote_passw ord_protocol [wikipoaedia.org] and must have realized that this would cost them a W amount of money. Note that such a solution would require BoA to create new SSL protocols that would have to be installed on the client machines, not only their own servers. Also note, that such a solution is not stupid-user-proof either. However, we can safely say that W > X (perhaps even W >> X).

By using such a solution they could perhaps save Z > Y amounts of money because much less users would fall victims to phishing attacks. It is very likely that they did the math. Because they chose to go with the current solution, it is very likely that Y-X > Z-W

The only thing that BoA should perhaps correct is the statement:
"If you recognize your SiteKey, you'll know for sure that you
are at the valid Bank of America site. Confirming your SiteKey is
also how you'll know that it's safe to enter your Passcode and click the Sign In button."

This is over-claiming and could have a harmful impact by making its web users dropping their defenses against phishing. I am sure however that their marketing dpt told them that they need to advertise this security feature as completely robust, otherwise users would feel that they are going through unnecessary trouble: "if BoA's system is still insecure, why did BoA bother changing it and why do I need to incur the delay to learn it and enter login information twice?"

Disclaimer: I do not work for BoA and I have no vested interest in supporting them. In fact, I hate their guts for their penalty fees policies :)

Re:Crux (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18704719)

Their current two-step authentication does not address the obvious MITM attack discussed here, but it does address the previously seen phishing attacks.
Ok, but is SiteKey the most efficient way to address the attacks that it can prevent? How does it compare with teaching people how to verify the domain in the address bar? They could use the (over-claiming) statement:

"If the text just before the 3rd slash in the address bar is bankofamerica.com, you'll know for sure that you are at the valid Bank of America site."

Re:Crux (1)

jimbojw (1010949) | more than 7 years ago | (#18704773)

> ... which uses http://en.wikipoaedia.org/wiki/Secure_remote_passw [wikipoaedia.org] ord_protocol and must have realized that this would cost them ...

Quick! Somebody register wikipoedia.com and put a "portal" there!!! Now people, let's move it!

Mother of all possible Man in the Middle attacks (1)

mosel-saar-ruwer (732341) | more than 7 years ago | (#18706561)


If anyone ever figures out a way pull a "Man in the Middle" on the Windows Update Service, then, to quote "Dandy" Don Meredith [wikipedia.org] : Turn out the lights, the party's over.

Digital Certificates (2, Interesting)

shamborfosi (902021) | more than 7 years ago | (#18704641)

Why don't the banks just issue digital certificates for their users and provide a secure way to download them? Then you could use the cert and a password to authenticate.. no MITM attacks due to the cert, difficult to impersonate.

Re:Digital Certificates (1)

partenon (749418) | more than 7 years ago | (#18705607)

Here in Brazil, we have a "e-CPF" (something like e-ID), which is basically a cert issued by some brazilian institutions (including Certisign Brasil, and some governamental offices). Banco do Brasil [bb.com.br] have a login page which uses this, so, it is more secure. The problem is: the e-CPF costs money to the end-user :-)

About bank security (and not "how to protect from phishing"): Banco do Brasil also have another technology to ensure an user is who it claims to be. When you connect the first time to their internet banking, your have read-only access to certain info, and you'll receive a number which identifies the computer. Then, you must go to any Banco do Brasil ATM in 48 hours or so and validate the computer code. Only after that you can fully use the Internet Banking.

Picture? (3, Funny)

extern_void (1041264) | more than 7 years ago | (#18703217)

users don't pay attention to the SiteKey pictures
Picture? what picture?

Yawn (1)

Opportunist (166417) | more than 7 years ago | (#18703219)

That tactic has been around for about a year now, that's worth a story?

How about trojans that change your order, send the bogus order to the bank while displaying the one you entered instead? Or... wait, that's been around for about 6 months now, too.

Re:Yawn (0)

Anonymous Coward | more than 7 years ago | (#18703585)

That tactic has been around for about a year now, that's worth a story?

Seriously. Having to remember two passwords instead of one has no bearing on the effectiveness of a MITM attack.

Re:Yawn (1)

Opportunist (166417) | more than 7 years ago | (#18703825)

Even the one-time passwords used by some banks didn't. Even asking for a specific one-time pw out of a huge list didn't. It pissed off the user and it caused a lot of overhead 'cause people kept punching in the wrong numbers, but it never thwarted a single attacker.

As long as the only channel between bank and user is the computer, there is no security.

Re:Yawn (1)

timeOday (582209) | more than 7 years ago | (#18705443)

As long as the only channel between bank and user is the computer, there is no security.
Now there's a gross overstatement. None if this proves that online banking isn't worth the risk it poses. IMHO it is well worth it. I get annoyed with people who think there should be endless layers of security on everything to prevent every possible attack. Do you people drive armored cars instead of normal ones? (If not, why not?)

Re:Yawn (1)

Opportunist (166417) | more than 7 years ago | (#18705853)

Nope. Simply because the number of people who shoot at me is very close to zero. I can't claim it to be zero, since there is a statistical probability, no matter how small, that I manage to piss someone off to the point where he draws a gun and fires at me.

The chance to be a target for phishers when you are using online banking is also no issue. Just as much as the chance that it's dark at night is no issue. It simply is dark at night and you are a target for phishing if you use online banking.

See the difference?

If every gangster who enjoys shooting at cars would stand on the sidewalk on my way from home to work, I'd sure as hell get an armored car, if possible yesterday. And since every gangster who's into the phishing biz is standing in front of my computer (simply 'cause spacial distance means jack in the 'net)...

I'm doing security for a living. And since I certainly won't sell you any of my products, I can be honest with you. There is no incentive for me to pump a hype and fearmonger to get you to buy my tools and services. You won't. More likely than not, you even cannot (because of export restrictions). And I sure as hell don't benefit from our competitors selling you some of their products.

What stands as a fact, though, is that for pretty much every single bank with online services, there has been at the very least one trojan specifically targeted at them within the last 6 months. The less security a bank uses, the more trojans had it as a target. It's very lucrative. There are even quite a few trojan toolkits available for petty cash (you're in for less than a thousand bucks). And the revenue per attack can reach 5, sometimes 6 digits. Rewarding, ain't it?

And yes, I'm even against the mentioned "endless layers of security", simply because they don't fix the problem, they are only a hassle for the customer. What banks do today is, they keep adding more locks to the reinforced steel door to the tresor room and ignore that the walls are made of plywood. It sure as hell is more hassle for the customer to get in, but it's no deterrent at all for the robber who'd simply punch a hole into the wall and ignore the door.

Re:Yawn (0)

Anonymous Coward | more than 7 years ago | (#18704495)

Actually it's been around on the order of two and a half years - http://www.lurhq.com/grams.html [lurhq.com]

Good for him! (4, Interesting)

Rob T Firefly (844560) | more than 7 years ago | (#18703233)

It's great to know this guy is still at it, despite getting raided by the FBI for the boarding pass hack. However, unless I'm mistaken banking stuff like this is under the auspices of the Secret Service, so this guy might want to set some extra places at the dinner table for a different group of goons.

Re:Good for him! (2, Interesting)

Billosaur (927319) | more than 7 years ago | (#18703359)

This is one of those occasions where you have to admire someone's pluck... I guess he has an overwhelming desire to be hassled by the US Government. This is important work, but it's definitely going to get the black suit, dark sunglasses crowd in a tizzy.

Re:Good for him! (5, Funny)

jimstapleton (999106) | more than 7 years ago | (#18703621)

If he keeps it up, he'll start to know the agents...

*hears a knock on the door, and answers*
Him: "Ahh, Agent Doe! Nice to see you! They sent you out for this one huh? Your standard crew."
AS: "Yep."
Him: "Can I interest you in some coffee, tea or a soda-pop while they are working?"
AS: "Sure, I'll have some coffee"
*He gets the coffee ready as the other agents go to his computer*
Him: "Sit down, sit down! Here's your coffee"
AS: "Thanks. So, everything's going well I take it?"
Him: "Yeah, I'd ask if you heard about my latest trick, but that's probably why you are here."
AS: "Yes, it is."
Him: "So, how's the wife and kids?"
AS: "Not bad. Jane is in basketball now."
Him: "Middle school"
AS: "College"
Him: "Really? I can't believe it's been that long. It seems like just yesterday you were telling me about her being born!"
*more idle chatter, eventually several black suits come down carrying computer equipment.*
AS: "Well, it was nice chatting with you again."
Him: "Likewise. See you next week, same time?"
AS: "Sure, what do you have planned now?"
Him: "C'mon, and spoil the surprise?"
AS: "Alright, see you next week."

Re:Good for him! (1)

garcia (6573) | more than 7 years ago | (#18703985)

From Goodfellas [wikipedia.org] (talking about the frequent raids):

There was always a little harassment. They always wanted to talk to Henry about this or that. They'd come in with their subpoenas and warrants and make me sign. But mostly they were just looking for a handout, a few bucks to keep things quiet, no matter what they found.

I am thrilled with this guy as I was when he did this with the NWA boarding pass security risk [slashdot.org] before. Again, it's great to have someone out there like this pointing out the insecure methods the general masses rely on daily.

Re:Good for him! (0)

Anonymous Coward | more than 7 years ago | (#18704355)

as long as he is happy, i guess its not that bad....

Bank of America?!? (5, Informative)

Anonymous Coward | more than 7 years ago | (#18703275)

This guy is going to get it.

Here's an example on how B of A does business:

This guy just wanted to check to see if a check was good! [sfgate.com]

You can bet B of A will go after this hacker guy.

Re:Bank of America?!? (0)

Anonymous Coward | more than 7 years ago | (#18703999)

Wow that is just amazing, I am glad to not live anymore there ...

Re:Bank of America?!? (2, Funny)

illegalcortex (1007791) | more than 7 years ago | (#18704681)

You used to live at BANK OF AMERICA? Now that's customer service.

Thank You For Posting That (1)

Slashdot Parent (995749) | more than 7 years ago | (#18704625)

I've been back and forth about severing my relationship with Bank of America ever since they started charging me bogus fees. Sure, they correct them after I point them out, but it is a waste of my time.

This pushed me over the edge. The fact that they humiliated an innocent man like that and then refused to even help him clear his name afterwards is reprehensible.

I am finished banking at Bank of America.

Re:Bank of America?!? (0)

Anonymous Coward | more than 7 years ago | (#18705779)

If you had actually read the full article you are linking with some measure of intelligence you would have realized that it wasn't Bank of America that screwed up in this case it was the San Francisco Police. The bank did the right thing when they confirmed that the check was a fraud. You can't expect a 17 year old teller at a retail bank to start intelligently questioning someone who has presented a fraudulent check on whether that person is a victim or a crook. The teller or manager simply calls the police and say "this is a fraudulent check and this man presented it to be cashed". The police then make ALL the decisions from there. In this case they royally screwed the guy and didn't question him and didn't read him his rights and just took him to jail. It is the city he should be suing not Bank of America.

Would you rather Bank of America ask the guy "are you trying to steal from this business" and when the guy answers "no" just take his word for it and let him go try his next check at the next retail bank down the road?

"Two-factor" authentication lame implementations (2, Insightful)

mutterc (828335) | more than 7 years ago | (#18703297)

All of my financial websites (bank, credit cards, etc.) have all gone to "two-factor" authentication.

Most often, the second factor is "security questions", like "what city were you born in?" and "what's your favorite restaurant?" I always answer these with random passwords, which I put in my password safe along with the real password. Unless you do that, these are actually less secure than just having a secondary password, because others can find out that stuff.

I know every business wants to do this cheaply and half-assed; it's the American Business Way. To do it "right" would probably take SecurID's or somesuch other token, which would get ugly for the customer after accumulating a couple of dozen different ones.

I've heard in comments here about banks that send you a list of code numbers, one-time-use, in the postal mail, and you use them up as you log in. That would be a good, cheap way to do two-factor that actually increases security.

Re:"Two-factor" authentication lame implementation (2, Insightful)

CastrTroy (595695) | more than 7 years ago | (#18703673)

I wish banks would offer something like SecurID for authenticating with their site. They seem to be in the process of adding on layers and layers of crap, without adding any actual security. I'd rather have a couple dozen secure IDs over having to carry around half a dozen one-time-pads around. Ideally, you'd only need one securID for each account. Which for most people is probably 3. Chequing, Savings, Credit Card. If you have more accounts than that, you're probably in the minority. I guess i'm not of the crowd that has 7 credit cards though. I have 1, and It's accepted just about everywhere. So I don't have a need for more than 1. I'd rather have a couple extra dongles hanging from my keychain than having to worry about someone hacking my account. I'd happily pay for the SecurID if only the option were available.

Re:"Two-factor" authentication lame implementation (1)

maxume (22995) | more than 7 years ago | (#18703921)

I'm no fan of how they do business(basically, the second they got big enough they started pissing on the small account customers that they built their business with), but E*Trade will give you a security dongle if you want:

https://us.etrade.com/e/t/jumppage/viewjumppage?Pa geName=cpg [etrade.com]

Re:"Two-factor" authentication lame implementation (1)

forrestt (267374) | more than 7 years ago | (#18703871)

Most often, the second factor is "security questions", like "what city were you born in?" and "what's your favorite restaurant?"

That isn't two-factor authentication. That is something you know and something else you know. Two-factor requires something you now, and something you have (a smart card, onetime password, RSA SecurID fob, etc.). (Not blaming you, simply pointing out how lame most businesses are).

Re:"Two-factor" authentication lame implementation (1)

Hatta (162192) | more than 7 years ago | (#18704223)

I spent a couple days going back and forth with the folks at my bank about this. I was trying to get them to explain how these security questions were any better than a password. These security questions are worse than a password because people who know something about you can figure them out. So it's no better than having 2 passwords. Having 2 passwords is fundamentally equivalent to having one password that's twice as long, and since there's not any limit on the length of passwords, it's not any better than just having one password that's suitably long.

In the end, they just said they were mandated by the federal government to do this. Does anyone know if this is true? What item in law mandates this?

Re:"Two-factor" authentication lame implementation (1)

fishbowl (7759) | more than 7 years ago | (#18704635)



>In the end, they just said they were mandated by the federal government to do this. Does anyone know if this is true? What item in law mandates
>this?

I doubt it is specific to that one item. My guess would be, Federal Law required them to seek and receive approval for their plans before they put an online banking system in place; then they contracted to have it built, and that was a project that lasted for years. In order to make the change you want, they would have to go through a long complex process. So instead, they need to get rid of YOU.

Re:"Two-factor" authentication lame implementation (0)

Anonymous Coward | more than 7 years ago | (#18705395)

Having 2 passwords is only equivalent to having one password twice as long if you have to input them both before finding out that they're wrong, and it doesn't tell you which one is wrong.

If I have to guess the first password before given the opportunity to guess the second password, it's just twice as hard as guessing a single password.

dom

Multiple passwords more secure? (1)

Firethorn (177587) | more than 7 years ago | (#18705731)

One way that it might make it more secure for you would be if you have a set of three or more 'secondary' passwords.

Maiden's Mother, pet, highschool, etc...

That way the phisher, even if he gets your primary password still has to hope he gets enough of the secondaries to get the one that pops up when he tries to access the system.

Sometimes in the military we have a set of 'challange phrases' and 'response phrases' that have to match up or alarms happen. That way somebody trying to fool the system can't just listen to the guy before him to get the correct answer, because it's different each time.

Re:"Two-factor" authentication lame implementation (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18705081)

Check out a message my bank just sent about their upcoming authentication change:

"At National City, we are committed to the privacy of your personal information. Therefore, over the next several months we will be increasing the level of security used to perform online transactions.

Effective Sunday, April 22 it will be necessary for you to input your Log-In ID and Password on two consecutive screens rather than one single screen as today. This change will affect users who log in from the NationalCity.com homepage and the Online Banking Login Page.

Thank you for choosing National City for your financial needs."

So they want us to input the exact same username and password on two consecutive screens, and somehow think that is increasing security?

The real problem of online banking (3, Insightful)

Opportunist (166417) | more than 7 years ago | (#18703319)

The core problem of online banking is that the bank has to implicitly trust an untrustworthy system, using insecure protocols. The bank has no way to verify that the system used at the other end has not been tampered with and they cannot verify that the data sent to them is identical with the data entered by the user.

You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.

Re:The real problem of online banking (1)

zappepcs (820751) | more than 7 years ago | (#18703399)

You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.
Exactly. I have a phone, can't we use that as the second channel?

Re:The real problem of online banking (1)

Opportunist (166417) | more than 7 years ago | (#18703491)

Very good idea. The question is how? A call? Too much overhead for the bank, they implemented online banking as a way to reduce its manpower. Text? Too unreliable, no guaranteed service.

And what about those customers that don't have a cell?

Re:The real problem of online banking (0)

Anonymous Coward | more than 7 years ago | (#18703581)

> And what about those customers that don't have a cell?

They use a land line!

Re:The real problem of online banking (1)

zappepcs (820751) | more than 7 years ago | (#18703773)

But because I have a cell phone with IM, text messaging, and email on it, I should be able to opt-in to tertiary authentication using that model??

Re:The real problem of online banking (1)

Opportunist (166417) | more than 7 years ago | (#18703865)

I think it's time to sit down and write a PoC for a tandem trojan, infecting a computer and the cell...

Like I said, it's generally a very good idea. The problem is, appearantly the damage done by those attackers isn't high enough to warrant the additional expense to develop something like that.

Re:The real problem of online banking (1)

qwijibo (101731) | more than 7 years ago | (#18704405)

If you don't have a cell phone, there's not a very high correlation between you and the good customer demographic. You can't please everyone, but requiring people to have a cell phone would only alienate a small percentage of customers with enough money to be relevant to the bank.

Re:The real problem of online banking (1)

Opportunist (166417) | more than 7 years ago | (#18705963)

How much money you have isn't so much the issue. The banks ain't fearing that you could switch, what really gets their panties in a bunch is that their customers might stop using online banking and instead fill their offices because they want to go to a real teller instead of using the self service interfaces.

People cost money. A lot of money. And since banks have been laying off personnel since the advent of online banking, they can't simply switch back. It's also not simply a matter of grabbing some people off the street and putting them behind some desk, it takes time (and again, money) to train a teller.

That's why banks keep preaching that online banking is safe. That's why they cover the losses, even though the fault is on the client's side (online banking is secure on the bank side, there has not been a single incident where the bank has been "hacked" that I would be aware of).

Re:The real problem of online banking (1)

Sven Tuerpe (265795) | more than 7 years ago | (#18703971)

I have a phone, can't we use that as the second channel?

We can, and some banks in Germany offer this already. The scheme is called mTAN (mobile transaction number). Postbank [postbank.com] , one of the prime target of phishing attacks, was the first to offer it. First, the customer has to register a mobile phone to be associated with the bank account. The registration process is somewhat long-winded but needs to be passed only once; obviously it needs to be secure against manipulation and abuse.

Once a phone has been registered with the bank, it can be used to authorize transactions. Whenever somebody initiates an online transaction with the bank, the bank will send a message to the previously registered phone. At this point all transaction details have been sent to the bank's system already and they cannot be changed any more without initiating a transaction. The message contains important transaction details, such as the target account and amount for a money transfer, along with a 6-digit code. In order to complete the transaction the account holder needs to enter this code, which is valid only for this particular transaction and only for a few minutes. If the code is not entered during this short period of time, the transaction is dismissed.

Another clever way of doing two-factor authentication (or rather, authorization) is based on cryptographic tokens. Those can be used not only to create one-time passwords but also as kind of an independent signature device. In order to create the authorization code for an individual transaction, the bank customer has to enter transaction details such as the target account number into the token. The token then calculates a code from its input, a key and other parameters such as time or a counter. Again, the transaction can only be completed by entering a code that matches the details submitted.

Re:The real problem of online banking (1)

Opportunist (166417) | more than 7 years ago | (#18704103)

Indeed, Postbank Germany has been a prime target for a wide variety of trojan families for the last few months.

That move on their side was a good one. A very good one. It's not easy to defeat this security scheme. Without thinking it over, the only security hole I see is the user, who doesn't read the whole text message but only uses the key to sign.

But when you sign something you don't read, you deserve what you get...

Still, pretty much every security feature has been broken so far. I somehow don't fear to go out of biz soon. :)

Re:The real problem of online banking (1)

siriuskase (679431) | more than 7 years ago | (#18705993)

The real problems are that BoA relies on the internet and there website is so SLOW and the pretty picture apparently is programmed to load last, long after the box where I enter my pin.

The BoA website is beautiful and quite fast when I use the public terminal in the bank branch. But, at home, it is the ugliest slowest most poorly designed piece of crap I have ever accessed more than once. Like many corporate sites, I strongly suspect that the design was designed by some young geeks who have never accessed the internet with less bandwith than a T1 line and approved by some elderly manager who understands pretty pictures and nothing else about technology and if he ever accesses the interent from home, he uses something a lot fancier (and less secure) than a dialup modem, and has no idea what's going on behind the curtain.

Okay, I'm middlea ged. At home and at work I was using regular phone lines and sometimes T1 lines to transfer all kinds of stuff to other locations since the 70's. All I had to do was get my modem to call their modem and that was it, we were just as secure as the phone line. By the 80's, we even had Caller ID to help us know whether we knew the party who was trying to call us. The main problem is that everyone we connected to had a slilghtly different dance we had to jump through to login and we usually had to have a simultaneous voice connection. But, this problem was a form of security. If we had someone we did a lot of business with, we simply bought a T1 line and forgot about it. If it broke, the phone company fixed it.

I'm also cheap. I almost always use dial up. It is plenty fast enough for what I do, I have the phone line anyway for my fax machine. I switch to wifi only when I want to watch youtube, which is only when it has a video that gets a lot of attention on slashdot or bbc. In other words, only during an election compaign. I don't download music, etc, etc, etc. iow, I'm an old fogey, and I don't have any incentive to upgrade to a faster, but less secure internet connection. Except for this silly BoA website.

I love banking with my computer, but I have to restrain myself for the picture verification site to load completely. I will not bank by cable modem or wife because neither are private. But, I have never seen the bank try to discourage anyone else from doing so. As someone who used iffers and sniffers before most techies knew what they wre, I can't trust anything that is broadcast freely into a common cloud. With something as big as the internet, it doesn't take many corrupt smart people to cause significant security breach. The main reason that most people are so comfortable is that corrupt smart people don't normally pubicize their activities.

BoA is bigger than most ISP's. I've wondered for years why they didn't set up their own modem farm with caller id verification for online banking. They already do this for credit card verification. If I call for customer service, they will ask me for more personal verification information if I am not calling from my home phone. My insurance company has similar phone technology, when I call them, before the online agent even says hello, he or she has my full file on the computer screen. It was creepy at first, but now, it is damn convenient to be able to do business without the idle chit chat while my file is being accessed. If they can do it for voice phones, they can do it for modems. They don't even have to own and maintain the modem farm. They can hire earthlink to set up a separate pool.

Re:The real problem of online banking (0)

Anonymous Coward | more than 7 years ago | (#18703705)

There's a class of people that manage to keep their computer trojan-free. The point is that banks fail even at the (less spectacular) goal of preventing phishing for these people. Instead of teaching people to recognize their sitekey image, ditch the sitekey bullcrap and teach them to recognize the bankofamerica.com domain in the address bar.

Re:The real problem of online banking (1)

Opportunist (166417) | more than 7 years ago | (#18703781)

That works 'til they manage to grab a trojan that messes with their DNS resolving.

But generally you're right. Our banks are already switching to "shorter" and abbreviated domain names simply because it's asking for trouble when you force your customer to type in the whole friggin' bank name.

It would already help a lot if you'd get a crash course on basic security when you request your online banking data. At least it would put the "here's your bank, please send us all your info" spamphishers out of biz.

Re:The real problem of online banking (1)

enbody (472304) | more than 7 years ago | (#18706207)

No, the real problem is that two-way, not two-factor, authentication is needed. Right now the bank authenticates you and two-factor authentication improves on that. What is missing is your ability to authenticate the bank, i.e. the authentication works both ways. There are clues, e.g. URL or images, but not real authentication.

I was hoping (0)

Anonymous Coward | more than 7 years ago | (#18703331)

for a SuperHacker not a Boarding Pass Hacker.....

Better, but still false security (2, Insightful)

aicrules (819392) | more than 7 years ago | (#18703403)

I think the BoA sitekey is definitely one step above username/password on the front page. However, I agree that while it provides an added SENSE of security, it can make people trust something more that they really can't trust any more. When it was released, I did almost exactly what this guy did just to see if it would work. I was not terribly surprised that I could create a wrapper to retrieve the sitekey picture and words while still intercepting the passcode. It was actually pretty easy. Unlike the study about the people who ignored their sitekey, I do pay attention to it. However, I also pay attention to whether I'm really on BoA. I never go there from a link in an email. While someone could still redirect my request for BoA to somewhere else, I also practice safe browsing practices that at least limit that potential issue on MY computer. The convenience of online banking is just too high for me to NOT use it.

Re:Better, but still false security (1)

AuMatar (183847) | more than 7 years ago | (#18703653)

Its not a step up- its no different at all. Its trivially broken with a man in the middle attack. Its just an extra hoop to jump through. If there was an option to turn the damn thing off, I'd take it. If anything my account is now *less* secure- previously there was my password, and no way to get in via secret questions. Now there's hideously easy to figure out secret questions on there.

There's a very simple way to do online banking that avoids all phishing scams

1)Only log in from 1 computer
2)Use google to search for your bank's website the first time. Google makes fewer mistakes than you
3)Bookmark it. From now on, never access the site by any other means.

There you go, phishing solved. Now you only need to worry about keylogers.

Re:Better, but still false security (1)

aicrules (819392) | more than 7 years ago | (#18703785)

Where are these security questions that let you in?

Not better. In a sense, it's worse (1)

Opportunist (166417) | more than 7 years ago | (#18704229)

The security is still none. A simple BHO that sits between you and your connection will laugh about it and shrug it off as pointless.

What makes it worse is that people think there's some additional security and might get careless as long as they think the key is secure. Think airbags and the fallacy that you can take a higher risk 'cause you're safer now.

::sigh:: (1)

Pojut (1027544) | more than 7 years ago | (#18703455)

When are companies gonna get smart and actually HIRE this fucker?

Someone is bound to do it eventually...I can assure you all if a company does not buy him up soon, the government will.

I think he was already hired (1)

snoopyjd (665929) | more than 7 years ago | (#18703575)

Apparently by one of BoA's competitors.

Re:::sigh:: (1)

gstoddart (321705) | more than 7 years ago | (#18703987)

When are companies gonna get smart and actually HIRE this fucker?

Someone is bound to do it eventually...I can assure you all if a company does not buy him up soon, the government will.

I think the days of the mad hacker becoming a security consultant are long passed. Nowadays, they seem to go the criminal prosecution route, and then no cookie for you.

Cheers

Re:::sigh:: (1)

bugnuts (94678) | more than 7 years ago | (#18704453)

When are companies gonna get smart and actually HIRE this fucker?
They're not going to hire him, because he's a loose cannon. The next thing an employer will find is a hack of their own site security on his webpage.

He has no scruples, or responsibility. He's the equivalent of an attention whore grey-hat hacker, while hiding behind the "someone needed to expose this" front. Although close, it's not like the Month-of--bugs. They are not doing it for notoriety, as this guy appears to be doing. His credibility would be much higher if he wasn't using political messages and if he actually notified the people involved.

Re:::sigh:: (2, Informative)

dnahelix1 (1060308) | more than 7 years ago | (#18704491)

Have you actually read his blog or talked to him? He sent a bunch of letters to people about the boarding pass hack before he posted it. He's documented everything on his blog, including all of his FOI requests, letters from his lawyer to the government etc.

Re:::sigh:: (1)

alienmole (15522) | more than 7 years ago | (#18706471)

He has no scruples, or responsibility.

His professor (Markus Jacobsson) is going along with this, as part of an anti-phishing group [indiana.edu] at Indiana University. Are you sure you know what you're talking about? If you do, it would probably help to explain it, since from where most of us stand this guy looks as though he's doing everyone a service, and going about it the right way, or at least a perfectly acceptable way which has the benefit of calling attention to some of the more suspect practices in the industry.

Dear me! (1, Insightful)

Etherwalk (681268) | more than 7 years ago | (#18703473)

He's pointing out that most of the psychological reassurances (the security blankets, we might ball them) that are presented to customers/consumers/flyers/etc... are just that--psychological reassurances.

We'd better be careful. This kid is dangerous. He could dismantle our entire society! Wait to see what happens when he points out that money is fictitious.

Re:Dear me! (1)

Russ Nelson (33911) | more than 7 years ago | (#18703989)

Sigh. Money is not fictitious. Yes, "money" is just pieces of paper, but they are a limited resource which is in demand. The best way to understand money is that it is a thing just like any other thing, but it has the attribute of being a thing that everybody will barter for their stuff.

You might guess that I'm not a gold bug, and that I'm in favor of free banking. Good guess!

A bit less than it appears (4, Insightful)

jfengel (409917) | more than 7 years ago | (#18703489)

The summary is not quite correct. It's not so much that the SiteKey is being bypassed, as that the attacker is able to get their hands on the user's SiteKey. They can only do this by getting the user's password and security code, which they do with a conventional man-in-the-middle attack. Once they've got that, getting the SiteKey seems the least of their worries.

The obvious problem with SiteKey is the chicken-and-egg problem of getting the image to the server in the first place. There's some step where you're communicating in a fashion where you trust the server enough to give them your SiteKey, which they later show back to you. It's tied to a single computer, via a cookie, so if you log in from a different computer you need to send a new SiteKey or get them to send yours back to you, on the new computer.

So this attack only works if you can get the user to give up not only the password but also the "security question" (one of the dumbest bits of security I've ever seen; it's like a password only you can look it up.) Easy enough, if the user isn't alert (and they usually aren't.)

SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."

Re:A bit less than it appears (1)

Rob the Bold (788862) | more than 7 years ago | (#18703645)

SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."

In fact, everyone I've talked to who needs one of these "guess the picture" schemes to login to their bank wishes they would go away. If, one day, they stopped seeing the sitekey thing, most folks would be relieved, not suspicious.

Re:A bit less than it appears (1)

aicrules (819392) | more than 7 years ago | (#18703709)

Maybe I am not seeing the same thing as you, but basically the change to sitekey means that first you must intercept their user id, encrypt and pass it to BoA just as BoA's main page would have, then present the sitekey image/words as if it were coming from BoA to intercept their passcode. The whole idea of sitekey was to prove that the site you were entering your secondary ID (passcode) on was indeed BoA.

Re:A bit less than it appears (1)

captainClassLoader (240591) | more than 7 years ago | (#18703823)

jfengel says:

SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."


This brings up a rather interesting question: Suppose Bank Of America decided to come up with a better way of securing their web transactions than the SiteKey system. When this new thing popped up on my screen instead of the old BOA site, how would I know I wasn't being phished for?

Obviously, they could send out brochures to my house, and blast "NEW WEB SITE COMING IN N WEEKS!" messages all over their existing site, but the brochures would probably hit the trash before being read in most homes, and most people don't read what's on the info part of web pages anyway.

Re:A bit less than it appears (1)

woztheproblem (454186) | more than 7 years ago | (#18705039)

I don't think you've got it quite right. They use the user's login (not password) plus the answer to a security question to get the user's sitekey. Then they display the sitekey to the user to get the user's password. Only then can they access the account.

Who can remember their authentication images? (4, Interesting)

dpbsmith (263124) | more than 7 years ago | (#18703681)

These authentication images seem to be one of these ideas that is based on the assumption that you only deal with one company.

Within the last six months, three banks and two brokerage houses I use have all gone to the use of these authentication images. In each case, the only way to select the image is to go through slow-loading screen after slow-loading screen of apparently random images.

I can choose my own password, but it is virtually impossible to "choose" my image, so they're not very memorable to me. I certainly can't choose the same image at all five sites, which is what I'd like to do. (That's insecure for a password, but I don't think it's insecure for an authentication image; it's not as if one bank were going to try to pretend to be a different bank).

One of them also wants you to give them a little phrase that goes below the picture. Ah, I thought, I'll use my phrase to describe the picture, that way I'll know if the picture is incorrect. Wrong, I couldn't do it. I had to enter the phrase before I got to choose the picture. Well, I thought, OK, I'll just change it. The picture was of (let's say) soccer ball. So I went to the screen that lets you change your passwords and personal information, entered "soccer ball" as my phrase... and was then taken to a screen where I was required to select a picture, again. And the soccer ball wasn't one of the choices. I clicked through about ten screens of five-by-five pictures trying to find the soccer ball and couldn't find it. Was it just because they were randomly selecting from a huge collection of images? Or do they actually enforce changing the image? I don't know. All I know is that I now am supposed to remember my password AND the phrase "soccer ball" AND a picture of a kangaroo.

If the picture were wrong, would I notice? I might have a vague sense of unease, but I wouldn't be sure. Not unless I wrote them all down.

just picture a kangaroo playing soccer .. (1)

rs232 (849320) | more than 7 years ago | (#18704159)

Just picture a kangaroo playing soccer ..

original, though? (2, Informative)

rascher (1069376) | more than 7 years ago | (#18704129)

One thing I kind of want to say is that, while I agree that the SiteKey method isn't secure, it seems that most any kind of website can fall prey to this kind of MITM. With enough time, one could (with relative ease) write a bot that wraps around just about any website. (monitor the headers, cookies, GET/POST vars that are passed during a normal browser login, and then write a script that uses curl to emulate all of that and create a phishing site). I tend to think that at some point, any "necessary" security measures that could be taken to ensure someone's idenity would be inconvenient for the user or too expensive for the consumer.

I like (1)

Xaoswolf (524554) | more than 7 years ago | (#18704143)

how with my bank, my password is printed directly below the picture...

That doesn't seem all that secure to me...

Bank of America's security needs improvement (2, Informative)

testpoint (176998) | more than 7 years ago | (#18704179)

Most Bank of America branches have open customer service centers. They consist of desks with no walls or partitions and a customer waiting area a few feet away. The first question after, "How may I help you?" is "What is your social security number". That is usually followed by, "And what can I do for you Mr./Ms. ______?"

Why not use referrer? (4, Insightful)

nospmiS remoH (714998) | more than 7 years ago | (#18704301)

Why don't the banks just require that the referrer to a login page be blank. Yes, this would mean that the login page would have to be either on the main page or very simple to type since the only way a (normal) user will have a blank referrer will be to type the url in.

Essentially this means that banks would be requiring everyone to physically type (or bookmark) their banks login page and that would be the ONLY way to get there. I suppose it could be modified to accept a referrer of the banks own domain so you could click a "Login Here" button.

I know power users can spoof their referrer using a browser setting and malware could do the same, but at least that would be another layer. What am I missing here?

Re:Why not use referrer? (0)

Anonymous Coward | more than 7 years ago | (#18705695)

This is a man-in-the-middle attack. Anything required by the bank would be simulated by the attacker. Requiring a blank referer would only work if the user knew that they had to type in the URL themselves, which would be stupid because if they knew they had to type it in then why would they click on the link to the phishing site in the first place?

Not to mention, having to physically enter the URL every time leaves you open to typo attacks. Some phisher might register b0fa.com, which would work quite well because the oh and zero both look similar and are adjacent on the keyboard.

dom

MOD parent ill informed! (2, Interesting)

cliveholloway (132299) | more than 7 years ago | (#18706513)

Completely wrong. It takes one line of javascript to open a link with no referer sent. Not rocket science.

If I were bofa, I would be looking at browser quirks, and using those to authenticate the HTTP_USER_AGENT environment variable. Browser says that they're IE? include a little activeX that only works in IE and examine output, or send some javascript. For each browser, set up a suite of these hacks and serve a few with each page. If the browser doesn't respond with the correct output of the quirk (pipeped into a form field via javascript, say), then assume browser is just a script with the UA set. That would kill about 90% of phishing attacks.

I would also look at login patterns and route all login page requests through an analyzing proxy that notes the IP address, User Agent, probable physical location and whether it has been used to access the account previously. Then, if a particular IP or User Agent requests a login that is suspicious, send an SMS message to the account owner (who would need their cell number on file fdirst, obviously :) explaining the access and where it is being made from. They will need to reply to the message before the login can continue from that IP. I mean, if I always access my online banking from 2 specific IP blocks, then one day try to access it from the other side of the country, I'd expect a red flag to go up - especially if I'd accessed it on old IP only 6 hours previously.

Not bulletproof, but damn close.

At my last job, we used a similar system to analyze FTP access to half a million accounts. It made catching script kiddies a hell of a lot easier :)

The problem is inconsistent expiration (0)

Anonymous Coward | more than 7 years ago | (#18704711)

Bank of America tends to forget my computer after a period of time (usually a few weeks) for whatever reason. Consequently, I'm used to having to re-auth without Sitekey, which makes me more vulnerable to phishing. Compare this to Yahoo's system, which remembers your computer pretty much indefinitely and also allows a unique user-uploaded image for each computer.

The Weakest Link (4, Interesting)

Nom du Keyboard (633989) | more than 7 years ago | (#18704913)

The weakest link in the banking system is its reliance on a single account number. Imagine, if you will, if your bank could give you limited use account numbers that never revealed your master account number to outsiders.

Wouldn't it be nice if you could give someone (e.g. PayPal, known by some for removing money back out as fast as they put it in) Deposit-Only account numbers. Like the Roach Motel, the money checks in, and it don't check out.

Or Limited Transfer Out numbers. (Allow AOL, and AOL only, to automatically debit monthly payments for amounts not exceeding your monthly bill, and only valid for 6 transactions before you give them a new number.)

Personal Checks, each one of which has a One Time Only account number on it that is worth nothing to a thief who tries to forge a hundred duplicates of the check you just gave him.

The archaic current system could, I believe, be made much more secure by this simple change alone.

Note to IP thieves: This constitutes Prior Art, and you're not allowed to patent it now.

Re:The Weakest Link (1)

sexyrexy (793497) | more than 7 years ago | (#18706191)

Bank of America offers this on all their credit cards, and creating temporary checking accounts is available with one of their higher (read: richer) programs.

Huh? (1)

powerlord (28156) | more than 7 years ago | (#18705259)

After reading the headline "Boarding Pass Hacker Targets Back of America" I couldn't help but wonder what sort of bank would let someone take money out of an account using only a Boarding Pass as their form of I.D.

Man in the middle and SecureID (2, Informative)

zerofoo (262795) | more than 7 years ago | (#18705405)

I used to work for a bank and we looked at SecureID for all of our internet banking customers that could originate ACH (Automated Clearing House) transfers.

We realized that SecureID is also vulnerable to a man-in-the-middle attack. Since most people ignore invalid SSL certificates, anyone could put up a fake webpage and intercept the entire SecureID transaction. Once a successful login is permitted, the attacker can process bank transactions as the legitimate user.

SecureID is a nice way to augment passwords with a one-time password, and it does reduce the "attack window" due to the fact that the bad guy can not reuse your login credentials at a later time. SecureID does not eliminate the attack window...the attacker needs to process the fraudulent transactions during the legitimate user's session.

-ted

Maybe I'm missing something.. (0)

whodkne (778580) | more than 7 years ago | (#18705509)

Why not lock down the .htaccess so images are only returned to the BofA server and no one else? Seems simple enough.

Re:Maybe I'm missing something.. (1)

Firethorn (177587) | more than 7 years ago | (#18705953)

Imagine the phisher's server as a type of proxy server. It's not linking you to the image on the bank's site, which is likely dynamic anyways, it's passing stuff you enter along to the login site and caching/manipulating the information to feed it back to you.

The modifications might entail stuff like changing links to keep you on the phisher site.

You enter information into the phisher site, the phisher server feeds this information(while capturing it) to the real site. The real site responds, giving the information to the phisher site, which the phisher site then sends to you.

The user doesn't have a clue. At most he might think his browser's being slow.

One perfect scheme... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18705591)

Many europeans banks now gives you a physical device. You must enter your PIN in the device then give back the generated number to log in. This is still vulnerable to MITM attacks. But when you're transferring a huge amount of money, you must enter the account number of the account you want to transfer money to. This, if done correctly, is approaching perfection. There could still be complete fool mislead by a MITM: the fake bank site asks to enter another account number on the physical device... However bank customers could be trained to only enter the the account they want to pay money to, which could also be emphasized by having a button on the physical device labelled "ONLY ENTER THE BANK ACCOUNT NUMBER YOU WANT TO PAY MONEY TO" (these devices tend to have a few buttons anyway, for different types of challenge). After entering the bank account number you want to pay to, the device gives you back a security that you transmit to the bank. You ain't cheating such a scheme unless you've got physical access to the device. So you ain't attacking a bank using such a scheme on a big scale. This is "good game lowlifes".

I tHank you for your time (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18706357)

Are you a NIGGER me if Fyou'd like, else up their asses conversations where and the striking Way. It used to be crisco or lube. words, don't get
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>