RSS

SiteKey Security Can Be Defeated

David Utter
Staff Writer
2006-07-31

Insider Reports RSS Feed

The SiteKey system used by financial institutions like Bank of America can offer a false sense of security due to the potential for a man-in-the-middle attack exploiting the system.

Jim Youll at Challenge/Response Labs reviewed the SiteKey system used by Bank of America to help its customers avoid falling for a phishing attack. A vulnerability could be exploited in real time to present someone's secret SiteKey image, text phrase, and challenge questions to them, and steal the answers given.

The report discussed the two main findings of Youll's research regarding the vulnerability:

A SiteKey shielded site is slightly more difficult to fake than others. The key difference is that an attacker must create a 'proxy' to relay a small amount of information between the victim (viewing the fake site) and the legitimate web server. The scripts for a server or bot-infected computer1 to carry this out would be simple to create and are well within the means of an attacker seeking a financial payoff. Complicating matters, Bank of America promotes extreme confidence in SiteKey that could unintentionally persuade an otherwise skeptical customer that a fake site is real.

On every computer from which a customer accesses a BofA account, SiteKey may store a token that permanently bypasses the 'challenge questions' and permits account access with just a user name and password. The bypass token is held in persistent storage on each computer, can be replayed, is long-lived, and may be copied from one computer to another.

Youll also summarized the response from Bank of America and RSA Security on his research; Youll provided a draft of the report to both firms in June, about three weeks before publication.

The gist of their response is that SiteKey is one of many components - some visible outside the bank, some not - that comprise a holistic strategy against phishing and other crimes.

The representatives' sense of this report is that it is accurate but misleading in that it addresses a risk in an isolated element of a larger security apparatus.

Non-specific information about how an attack could be engineered has been discussed in the report. A criminal would not need to break the encryption on the SiteKey protocol, or gain privileged access to a server to put a man-in-the-middle attack together.

Youll recommended several options to improve end-user understanding of SiteKey and limit the security risks. One option would involve financial sites like Bank of America employing HTTPS for all of their pages, and use hardware accelerators to handle the extra load from that traffic.

---
Tag: SiteKey

Add to

Del.icio.us |

Digg |

Yahoo! My Web |

Furl

Bookmark WebProNews:

About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More news_security_news Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials