funsec mailing list archives
Re: Bank of America's SiteKey scheme for protecting online bank accounts
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 20 Oct 2005 17:24:22 +1300
Richard M. Smith wrote:
What do folks think about Bank of America's new SiteKey system for protecting online bank accounts:
<<snip>> A bunch of us discussed this somewhere else when it was first announced. It is an example of what I call "negative security" -- to work the victim has to not only notice that something is wrong/missing/ different BUT also has to be concerned enough to act (or, more to the point, to fail to act! 8-) ) because of the lack of the required/ expected/etc content. That is, the truly stupid, naive, gullible folk that need the most help get the _least_ help from a scheme like this. how many users that are "dumb" enough to enter their online banking details into a page at a URL like http://1.2.3.4/somelargebankname.com/ebanking/login do you _really_{ think are going to be savvy enough enough to NOT give their data to some other equally obvisously (to _us_) bogus site that fails to present the picture of the cute doggy or ask what elementary school they attended or whatever? Exactly -- only those who have already been done over by other fraudulent schemes and gone through the hell of trying to repair their "reputation". This is really just a glorified version of "if you don't see a padlock..." and we know how goddamned awful useless that advice is! Oh, and if I'm wrong and this scheme actually did make some kind oif an impact on the scammers such as it affected their bottom-line, how long do you think it would be before the scammers made their bogus "bank" pages pop-up a little "SiteKey service temporarily unavailable -- proceed with login withouy it?" dialog box? That would sucker precisely those "foolish" enough to be taken in by the myriad less sophisticated scams we have already seen. In short, this is a very clever way for the makers of SiteKey to take some money off BoA's customers while providing a weak, but false, odour of "enhanced security". That BoA fell for this giggerish shows that it has NO idea what the real problems are... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Bank of America's SiteKey scheme for protecting online bank accounts Richard M. Smith (Oct 19)
- Re: Bank of America's SiteKey scheme for protecting online bank accounts Nick FitzGerald (Oct 19)
- Re: Bank of America's SiteKey scheme for protecting online bank accounts Valdis . Kletnieks (Oct 20)
- Re: Bank of America's SiteKey scheme for protecting online bank accounts Florian Weimer (Oct 22)