funsec mailing list archives

Re: Bank of America's SiteKey scheme for protecting online bank accounts

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 20 Oct 2005 17:24:22 +1300

Richard M. Smith wrote:

What do folks think about Bank of America's new SiteKey system for
protecting online bank accounts:

<<snip>>

A bunch of us discussed this somewhere else when it was first 
announced.

It is an example of what I call "negative security" -- to work the 
victim has to not only notice that something is wrong/missing/ 
different BUT also has to be concerned enough to act (or, more to the 
point, to fail to act!  8-) ) because of the lack of the required/ 
expected/etc content.

That is, the truly stupid, naive, gullible folk that need the most help 
get the _least_ help from a scheme like this.  how many users that are 
"dumb" enough to enter their online banking details into a page at a 
URL like http://1.2.3.4/somelargebankname.com/ebanking/login do you 
_really_{ think are going to be savvy enough enough to NOT give their 
data to some other equally obvisously (to _us_) bogus site that fails 
to present the picture of the cute doggy or ask what elementary school 
they attended or whatever?

Exactly -- only those who have already been done over by other 
fraudulent schemes and gone through the hell of trying to repair their 
"reputation".

This is really just a glorified version of "if you don't see a 
padlock..." and we know how goddamned awful useless that advice is!

Oh, and if I'm wrong and this scheme actually did make some kind oif an 
impact on the scammers such as it affected their bottom-line, how long 
do you think it would be before the scammers made their bogus "bank" 
pages pop-up a little "SiteKey service temporarily unavailable -- 
proceed with login withouy it?" dialog box?  That would sucker 
precisely those "foolish" enough to be taken in by the myriad less 
sophisticated scams we have already seen.

In short, this is a very clever way for the makers of SiteKey to take 
some money off BoA's customers while providing a weak, but false, odour 
of "enhanced security".

That BoA fell for this giggerish shows that it has NO idea what the 
real problems are...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Bank of America's SiteKey scheme for protecting online bank accounts Richard M. Smith (Oct 19)
- Re: Bank of America's SiteKey scheme for protecting online bank accounts Nick FitzGerald (Oct 19)
- Re: Bank of America's SiteKey scheme for protecting online bank accounts Valdis . Kletnieks (Oct 20)
- Re: Bank of America's SiteKey scheme for protecting online bank accounts Florian Weimer (Oct 22)