RE: Study Finds Security Flaws on Web Sites of Major Banks

["Larry Seltzer" <Larry () larryseltzer com>]

I've been making this point myself (that Sitekey authenticates the site,
but doesn't un-authenticate fake sites) for a long time, but I think
it's unfair and unhelpful for the MIT guy to suggest that BofA is better
off without it. It does at least give users confidence in the site when
they're there.
 
Perhaps the problem is in the reporting (no surprise for the NYT) but
it's not like the academics presented a better idea. And I would want to
see more about the study, like what the fake sites looked like. Was
there any other security software installed? I look at phishing sites
all the time and what with my anti-spam (Sunbelt), KAV, IE7 and FF2 none
of them are getting through to me lately. I have to specifically bypass
dire warnings.
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ <blocked::http://security.eweek.com/> 
http://blog.eweek.com/blogs/larry%5Fseltzer/
<http://blog.eweek.com/blogs/larry_seltzer/>
<http://blog.ziffdavis.com/seltzer> 
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 
 

________________________________

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of 'Richard M. Smith'
Sent: Monday, February 05, 2007 8:19 AM
To: 'FunSec [List]'
Subject: [funsec] Study Finds Security Flaws on Web Sites of Major Banks



http://www.nytimes.com/2007/02/05/technology/05secure.html?_r=1&oref=slo
gin&ref=technology&pagewanted=print
 
February 5, 2007

Study Finds Security Flaws on Web Sites of Major Banks 

By BRAD STONE
<http://topics.nytimes.com/top/reference/timestopics/people/s/brad_stone
/index.html?inline=nyt-per> 

Internet security experts have long known that simple passwords do not
fully defend online bank accounts from determined fraud artists. Now a
study suggests that a popular secondary security measure provides little
additional protection.

The study, produced jointly by researchers at Harvard
<http://topics.nytimes.com/top/reference/timestopics/organizations/h/har
vard_university/index.html?inline=nyt-org>  and the Massachusetts
Institute of Technology
<http://topics.nytimes.com/top/reference/timestopics/organizations/m/mas
sachusetts_institute_of_technology/index.html?inline=nyt-org> , looked
at a technology called site-authentication images. In the system,
currently used by financial institutions like Bank of America
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch
.com/custom/nyt-com/html-companyprofile.asp&symb=BAC> , ING
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch
.com/custom/nyt-com/html-companyprofile.asp&symb=IND>  Direct and
Vanguard, online banking customers are asked to select an image, like a
dog or chess piece, that they will see every time they log in to their
account.

The idea is that if customers do not see their image, they could be at a
fraudulent Web site, dummied up to look like their bank's, and should
not enter their passwords.

The Harvard and M.I.T. researchers tested that hypothesis. In October,
they brought 67 Bank of America customers in the Boston area into a
controlled environment and asked them to conduct routine online banking
activities, like looking up account balances. But the researchers had
secretly withdrawn the images.

Of 60 participants who got that far into the study and whose results
could be verified, 58 entered passwords anyway. Only two chose not to
log on, citing security concerns.

"The premise is that site-authentication images increase security
because customers will not enter their passwords if they do not see the
correct image," said Stuart Schechter, a computer scientist at the
M.I.T. Lincoln Laboratory. "From the study we learned that the premise
is right less than 10 percent of the time." 

...

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.