"A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® Service" (seen on slashdot)

[Paul Vixie <paul () vix com>]

We present this demonstration of a "deceit-augmented man in the middle attack"
against the SiteKey ® service used by Bank of America (the underlying
technology is also used by other companies). This, or a similar attack, could
be used by a phisher to deceive users into entering their login details to a
fraudulent website. BoA's own website tells users: "[W]hen you see your
SiteKey, you can be certain you're at the valid Online Banking website at Bank
of America, and not a fraudulent look-alike site. Only enter your Passcode
when you see the SiteKey image and image title you selected."

We believe that this statement is not completely true, as our deceit-augmented
man-in-the-middle attack shows. Whereas a normal man-in-the-middle attack
identically replicates the attacked site, a deceit-augmented man-in-the-middle
attack may present the user with a slightly different user interface than the
regular interface. Man in the middle (MiTM) attacks are not a new threat -
they have been known about for a number of years, and phishers have already
used them to target Citibank and other online banks.

http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.