As I signed onto my account today I was forced into registration for a new security service of Bank of America. The system is called SiteKey and it is a pseudo two factor authentication system. The idea is that the user will choose an image to display on the site after authentication. If the site doesn’t display the image then the user should begin freaking out and realize that they have just been phished.
The images themselves are retrieved via a dynamic URI which uses some very large hashes.
https://sitekey.bankofamerica.com/sas/getMySiteKey?it=[96 char hash]&iv=[15 char hash]
On the surface this seems like a decent system. I think the implementation is a bit off (backwards actually). When a user has cookies enabled and the site can then recognize the system only an ID field is presented. After entering the ID the user is taken to a real authentication page with both username and password fields. This authentication screen will display the SiteKey image. What’s wrong with this? If you are coming from a computer the system does not recognize then both username *and* password are required and then the SiteKey image is presented. Therefore it would not be impossible for a phisher to simply make calls after you enter your authentication info in a fake site to retrieve your actual SiteKey from the BoA website.
This system will raise the stakes in the phishing game but I don’t know if it will do so enough to thwart any but the most crude of phishers. If I have enough time I will try to mock up a proof of concept.
Post a Comment