Re: [Full-disclosure] Bank of America SiteKeys ineffective?

From: Mike N (niceman_at_att.net)
Date: 05/27/05

  • Next message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification" 
    To: <full-disclosure@lists.grok.org.uk>
Date: Fri, 27 May 2005 13:39:03 -0400

    >From: "Mary Landesman" <mlande@bellsouth.net>
    >Subject: Re: [Full-disclosure] Bank of America SiteKeys ineffective?

    > >From my read of the news.com article and admittedly limited knowledge of
    > SiteKeys, it does not seem to me their intent is to make sure the user
    > knows they are at a legitimate BOA page. Rather, it seems to me
    > the intent is to
    > ensure that if Betty Boop logs into her BOA account, that she's doing so
    > from a pre-authorized Betty Boop specified computer.

    I found the official press release at

    http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm

       In the press release, one of the 2 key goals is to "Confirm the Web
    site's validity." From the description, it will do no such thing - it only
    confirms a possible link from their browser to the BofA web site, not that
    they are linked correctly and solely to the proper BofA web site.

      Even the challenge-response scenario is nearly useless. If for some
    reason the phisher in the middle couldn't steal the secure cookie and pass
    it on to the real site, the customer might fall for the challenge-response
    questions being relayed from the phisher and answer them; the phisher would
    end up with the challenge-response answer as well as the login. Many
    people regularly dump their cookies for privacy reasons; those people will
    become used to seeing the challenge-response and they won't realize they're
    being taken.

     The press release mentions that they are using PassMark
    http://www.passmarksecurity.com .

       The PassMark is better than nothing, but doesn't accomplish anything in
    the end except to make the customer feel better. It's not as effective as
    inspecting the HTTPS certificate, but training 13 miillion customers how to
    inspect their certificates and actually have people look at their
    certificates is also probably unrealistic.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Martin Schulze: "[Full-disclosure] [SECURITY] [DSA 730-1] New bzip2 packages fix file unauthorised permissions modification"