False Sense of Security at Bank of America
As Quoted from the New York Times:
“The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don’t comply. ‘The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank’s, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.’ The study, aptly entitled “The Emperor’s New Security Indicators”, is available online.”
For every security measure there is an equally effective counter measure. Lesson here: Be VERY careful with all your IMPORTANT online surfing.
I think this goes back to a couple old sayings.
1. “don’t call your customers stupid, but always remember they are”
2. “just when you think something is idiot proof, god comes along and makes another idiot”
I think the main point of the site key is not that it is exact but that a fraudlent site would not be able to duplicate it at all. A fraud site would not know if my site key was the dog or the cat or one of the other 15 options. Weather the cat looks exactly right is not the point.
I don’t know if you’d call this a good countermeasure as it is a people are really fucking stupid.