Saturday, May 28, 2005

Bank of America takes on cyberscams: a report card

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Bank of America will be rolling out a series of anti-fraud measures to combat the wave of phishing attempts roiling cyberspace.

Let's take a look at some of their new, and hopefully improved, anti-phishing countermeasures:

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.

Let's break this down. You visit the BofA site and enter your login name. The BofA site displays your personal, pre-selected image (say, a picture of your hero, John Bolton). You examine the image and decide that it's correct, so you enter your password. *Voila* - a fraud-proof login? Or is it?

It certainly renders the typical false store-front approach more difficult. In the past, the phishers only needed to put up a welcome-and-login page, capture the credentials at login time, and redirect the victim to the proper site.

But a new, "improved" phishing storefront approach is still feasible with SiteKey. Consider the following sequence of events:

1) Phishing site presents a false store-front to victim
2) Victim enters login name at false store-front
3) Behind the scenes, false store-front visits real site, enters victim's login name at real site, and captures returned web page, SiteKey image, etc.
4) False store-front now presents victim with its captured web page and SiteKey image
5) Victim verifies image and enters password into false store-front
6) False store-front notifies crook that a valid session is active

In other words, the false store-front simply brokers a bit more of the authentication sequence transpiring between the victim and the genuine site. Put simply, this is just a minor technical challenge for the phishers.

Personal image countermeasure - Grade: C, primarily for the effort... not the effectiveness.

In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions... Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.

There are really two ways that BofA could "tie" the customer PC to the site: via source IP addresses or via cookies. IP addresses are problematic. A customer using AOL, for instance, can appear to be coming from multiple IP addresses, all in one transaction. This is the case because AOL uses an entire bank of proxy servers to broker web traffic for its customers. So I suspect IP addresses would not be suitable for "tying" the PC to the bank.

Cookies are the more likely candidate. Once the user successfully performs a "full login" (complete with challenge/response), a cookie is delivered to the PC to speed subsequent logins.

A couple of vulnerabilities with this approach: a cross-site scripting hack could deliver the real session cookie to the phishing site. Or, more likely, a false store-front would simply broker the full authentication sequence -- including the challenge -- thereby gaining access to the account.

Only a truly diligent customer would likely notice that extra challenge. I'm guessing that's less than 5% of the entire customer audience. And that's the only reason I'll give this countermeasure a slightly higher grade - the extra 5% of customers who'll notice something fishy.

PC-to-site tying countermeasure - Grade: C+

In short, these are decent -- but half-hearted -- efforts at phish-fighting. I'll post some additional ideas regarding phish combat later.

Diversity in these approaches among the various financial institutions would be a good thing. With diversity, the phishers will need to build different infrastructure for each false-storefront. But build it they will, as the cyberwar between crooks and institutions continues unabated. BofA takes on Cyberscams

No comments: