« Symantec CEO Warns EU of Peeping Tom Cookie Menace - Evidently Still Using IE 3 | Main | Telcos Scrambling for Wiretapping Immunity »
September 20, 2007
How Much Security Constitutes "Certain?"
Christopher Soghoian wonders if Bank of America is lying to its customers when it says its security measures allow them to be "certain" they're not being phished.
The nut of his objection is that BoA's two-factor authentication system, which presents an image known only to the user and the bank before allowing the user to enter his or her credentials, is vulnerable to man-in-the-middle attacks:
The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.
On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system.
In its defense, BoA says its SiteKey system is just part of a whole arsenal of security measures. Soghoian isn't buying it:
Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?
Anyone who says something is definitively and incorruptibly secure isn't telling the truth. People who think about security a lot subconsciously append "until it's compromised" to any assertion about a security technique or product.
And BoA's responses to Soghoian's charges skip around the fact that they specifically represent SiteKey as absolutely secure.
BoA should be qualifying its claims. Any sensitive transaction done over the Web should involve some sort of due diligence on the part of the end user: A quick glance at the location bar, making sure the browser thinks it has a secure connection by looking for the padlock icon, and a scan of the page to make sure it looks right.
Encouraging end users to focus on one thing, like whether or not a single image matches what they expect to see, also encourages them to ignore other problems with a page that might give them pause.
Posted by mhall at 5:07 PM | Add Comment
Leave a comment