Bank of America's "Perfect" Security System Actually Vulnerable To Phishing

Bank of America has an online security measure called SiteKey and says, “[W]hen you see your SiteKey, you can be certain you’re at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site.”

But Christopher Soghoian, previously known for publicizing an NWA boarding pass generator, demonstrates how a variant on the “man in the middle” phishing attack can subvert SiteKey and still steal money from unaware consumers. He’s got a movie, too.

While users need take steps to protect themselves, like never clicking banking links in emails, and verifying the URL they’re visiting is correct, it’s plain incorrect for Bank of America to say SiteKey is invulnerable. — BEN POPKEN

A Deceit-Augmented Man In The Middle Attack Against Bank of America’s SiteKey

Service [Slight Paranoia]


Edit Your Comment

  1. Trai_Dep says:

    Somebody alert Boston Homeland Security: Soghoian just stole billions of dollars from the Federal Reserve.

    Oh, wait…

  2. werdna says:

    Of course Sitekey is vulnerable because it depends on the competence of the person using it. Most people going to a BOA phishing site would commpletely forget about the fact that they have a sitekey (I know I would). BOA is still a good target for phishers because there will still be a small percent of people that will put in their info unaware of sitekey.

  3. Bradley says:

    Ill just have to patiently explain to them that this must be where that large sum of money I deposited went to.

  4. Skeptic says:

    Cute. The man in the middle attack succeeds again…

    This just goes to show that the Site Key system is not only an inconvenient time waster that most people ignore, but it provides only a false sense of security even for those people who do pay attention.

    BofA needs to replace security theater with actual security. The only thing that will make them do that are laws that hold banks strictly and financially accountable for when they give out funds to people other than the account holder. The law needs teeth in the form of punitive damages and an exemption from mandatory arbitration clauses.

  5. Xkeeper says:

    Consider especially that since this is “invulnerable to security attacks”, well, that just gives people a false sense of security.

    And with that comes a lowered guard.

    If this method ever becomes prevailant, you can be pretty damn sure that it might even be more effective than the other one… Especially since if it’s right, they will have access whil emaking it look entirely normal to you.

    Uh oh.

  6. medalian1 says:

    I hate that sitekey and ING’s pin thing. I just like username/passwords. Sucks that we have so many stupid people!

  7. 5cents says:

    What a fantastically amazing graphic. Everything is just so clear :) Agreed, BoA is out of line saying is’s invulberable. I find SiteKey a bit gimmicky too.

  8. OnceWasCool says:

    This just proves that some people just shouldn’t have a computer.

    I told my wife, if the bank or credit card companies contact you through email, just delete it no matter what it says. She has a URL to our bank and our credit card companies and she has been very smart about it.

  9. mac-phisto says:

    heheh. i blame the regulators. they are the ones touting dual authentication. prove positive that if someone wants to steal, they will find a way.

  10. MameDennis says:

    Until BOA lets me create a more secure password for my account than I have with my CD club, the sitekey leaves me unimpressed. No “rogue characters”? Bah.

  11. Beerad says:

    @Skeptic: “The only thing that will make them do that are laws that hold banks strictly and financially accountable for when they give out funds to people other than the account holder.”

    Umm, what exactly would this mean? If the bank gets defrauded by someone and it’s caught, they’re still going to give me my money. It’s not like “Oh snap, we’re sorry, someone scammed us out of your money last month so you’re broke now.” And if you actually want to impose punitive damages, as your next sentence suggests, I can’t wait for the next wave of ID verification — “Oh, the fingerprint was last month. Now we need a blood sample and a DNA swab. Sorry, we’re just protecting ourselves.”

  12. BMR says:

    the missing factor here is that a human must fall for it. so as long as there are humans with bank accounts, there will be one who falls for it. that is not BoA’s fault…that is just a fact. They could go to the end of the earth the tighten security and there will always be a sucker giving their info away. It is really naive to imply that BoA does not care about security – sure they deserve some criticism, but obviously they care about security. They are a HUGE bank, billions and billions of dollars – duh, they care about security.

  13. bastarre says:

    @MameDennis: You ain’t lying about that. WTF do you mean I can’t use special symbols? That’s a big part of what makes passwords strong.

  14. RubyKhan says:

    Does anyone know of an online consumer banking site that uses a dongle like PayPal/Ebay? Some banks are starting to offer them on their business accounts.

  15. oldhat says:

    The worst part of this is that the Bank(s) hide behind all their security when things go wrong.

    Like when somebody (usually an inside job) hacks the ATM system the bank thinks the customer is lying, since the system is perfect.

    They put up all this and refuse to admit that it’s not infallible.

    If somebody robs the bank, no matter how it’s done, it’s the bank’s fault. If it’s a stolen identity, guess what, still the bank’s fault! As they are the ones that got fooled! You still got your identity, but the bank got conned.

    Yet, they blame you…

  16. mac-phisto says:

    @oldhat: you’re right that it’s the bank’s responsibility b/c of laws developed to hold harmless ID theft victims. but i have encountered MANY instances where the “victim” acted more like an accomplice:

    -$2,000 loss caused by a stolen ATM card where the holder admitted to writing the PIN on the card with a sharpie pen.

    -$800+ loss due to a person who did not protect access to card & PIN from roommate.

    -$4,500 loss due to a cardholder’s acquaintance memorizing cardholder’s PIN while accompanying her to ATM machine over the course of a few weeks. stole card & wiped out bank account in 3 days.

    i believe the laws are written correctly, & i am not advocating otherwise. i am merely showing that some people are not as vigilant with sensitive information as they should be. ID theft is, after all, a socially engineered crime. if people weren’t naive enough to fall for the bait, these scams wouldn’t work.

    & remember, banks aren’t in business b/c they take losses. BoA made $16.5 billion in profit in 2006 despite thousands of similar losses. guess who’s making up the difference?

  17. atbradley says:

    I’m a former Fleet Bank employee who ended up with a BoA account (and no job) after BoA’s takeover of Fleet in 2005. I’ve never been remotely impressed by SiteKey. Look: The idea is, you type in your login ID, then it shows you a picture and caption you picked out for yourself before you type in your password. So you know it’s really the bank’s site before you type in your password. Great. Except that my login ID, which BoA assigned when my account switched over, is my debit card number!

    So I guess all SiteKey is intended to do is make sure I know, right away, if I’ve given my debit card number to a phisher.