Security: SiteKey isn't as safe as you may have expected
The SiteKey anti-phishing system used by Bank of America and other financial institutions is susceptible to a real-time exploit in which an attacker can create a fake web page that includes a victim’s correct, secret SiteKey image, text phrase and challenge questions.
So... if you're looking at a web page that claims to belong to your bank, and it's even showing your secret SiteKey image, it's possible the page is not coming from your bank, but from an attacker trying to steal your login secrets. Really.
My new paper discusses the problem, and explains why single-ended, server-side-only authentication used by SiteKey and other systems is not and cannot be an adequate protection against phishing or other online frauds.
"Fraud Vulnerabilities in SiteKey Security at Bank of America" is here (376K PDF):
http://cr-labs.com/publications/SiteKey-20060718.pdf
So... if you're looking at a web page that claims to belong to your bank, and it's even showing your secret SiteKey image, it's possible the page is not coming from your bank, but from an attacker trying to steal your login secrets. Really.
My new paper discusses the problem, and explains why single-ended, server-side-only authentication used by SiteKey and other systems is not and cannot be an adequate protection against phishing or other online frauds.
"Fraud Vulnerabilities in SiteKey Security at Bank of America" is here (376K PDF):
http://cr-labs.com/publications/SiteKey-20060718.pdf
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home