Bank of America has an online security measure called SiteKey and says, “[W]hen you see your SiteKey, you can be certain you’re at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site.”
But Christopher Soghoian, previously known for publicizing an NWA boarding pass generator, demonstrates how a variant on the “man in the middle” phishing attack can subvert SiteKey and still steal money from unaware consumers. He’s got a movie, too.
While users need take steps to protect themselves, like never clicking banking links in emails, and verifying the URL they’re visiting is correct, it’s plain incorrect for Bank of America to say SiteKey is invulnerable. — BEN POPKEN
Service [Slight Paranoia]