[VOIPSEC] On the topic of Vishing
Dustin D. Trammell
dtrammell at tippingpoint.com
Mon Jul 17 16:22:01 CDT 2006
On Fri, 2006-07-14 at 08:42 -0400, J. Oquendo wrote:
> The scenario above would work more than a user/pass combo since
> human factors are almost always the issue regarding compromises.
> Let's use for example Bank of America's "Sitekey" scenario. Their
> so called twofold method of authentication: You enter your
> credentials and a picture pops up asking you for your "next" method
> of authenticating based on the picture. So what is the answer? Well
> based on the types of pictures I've seen them dish out they tend to
> be simple, a guitar, a banana, a vase. Let Joe Simple's info become
> compromised to an extent, an intruder uses the information gathered
> as far as log in (user/pass) and sees a picture of a banana. Well
> Joe Simple not knowing any better decides his Sitekey will be (what
> else?) banana. Twofold auth based on user input is not that great
> of a solution.
I think you may have missed the point of BofA's SiteKey. The SiteKey is
meant to authenticate the site to the user, not be a second form of user
authentication of the user to the site. When you go to BofA's website,
you first only enter your username. Then, the site displays your
pre-chosen SiteKey (image you chose plus whatever you named the image).
If the SiteKey is correct, then you are supposedly sure that you are
viewing the authentic BofA website. Then, you enter your password that
corresponds with the username that you entered before the SiteKey was
displayed. This is still only a single username/password credential for
authenticating the user to the site.
The biggest problem I see with this method of authenticating the site to
the user is that SiteKey is supposedly helping prevent against phishing
and MITM attacks, however once you have a valid username, you can get
the user's SiteKey directly from the BofA website without the full set
of credentials, which an attacker could perform during an active MITM
attack and then simply pass on the SiteKey information to the
unsuspecting user. I believe that BofA's SiteKey really only provides a
false sense of security to their users.
--
Dustin D. Trammell
VoIP Security Research
TippingPoint, a division of 3Com
More information about the Voipsec
mailing list