[Infowarrior] - False security: Is Bank of America lying to its customers?

[Richard Forno]

September 20, 2007 6:15 AM PDT
False security: Is Bank of America lying to its customers?
Posted by Chris Soghoian


http://www.news.com/8301-10784_3-9776757-7.html?part=rss&subj=news&t
ag=2547-1_3-0-20

A bank that guarantees its online users safety and security has direct
evidence that its Web-based banking system may not be 100 percent
bullet-proof.

Should that bank tells its customers? And if it doesn't, is it misleading,
or even worse, lying, to them?

Bank of America, like many other financial institutions in the U.S., has
jumped on the "two-factor" authentication bandwagon. Instead of having its
customers log in with just a user name and password, these new schemes
require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a
keychain with a digital display that spits out a new random number every 60
seconds). Others, especially those banks with less profitable customers,
have opted to instead adopt software solutions. The advantage of this, of
course, being that they don't have to spend any money to send widgets out to
their customers.

BofA's SiteKey two-factor authentication system is essentially a rebadged
version of the PassMark system sold by RSA/EMC. Other banks that have
licensed the technology include Pentagon Federal Credit Union, Vanguard, and
U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems
select a graphical image and phrase, which are then displayed to them every
time they login to the Bank of America Web site from "trusted" computer
(that is, one that BofA has seen before).

According to Bank of America's own numbers (PDF), over 21 million customers
use their online banking system. BofA's Web site promises customers that the
SiteKey system will keep them safe, stating: "You know it's really us--when
you see your SiteKey, you can be certain you're at the valid Online Banking
Web site at Bank of America, and not a fraudulent look-alike site. Only
enter your Passcode when you see the SiteKey image and image title you
selected."

How SiteKey Works
(Credit: Bank of America)

The problem is that all of these schemes--every single one of them--is
vulnerable to a form of deception known as a man-in-the-middle (MITM)
attack. Russian phishers launched a sophisticated MITM attack against the
hardware-token-based, two-factor authentication scheme used by Citibank.
Another group of hackers was able to rip off customers of the Dutch bank ABN
Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the
alarm regarding the false promises of two-factor authentication, and in
particular, Bank of America's SiteKey system. Finally in April 2007,
Professor Markus Jakobsson and I announced a working demo of a successful
man-in-the-middle attack against SiteKey. Based on advice from lawyers, we
did not release an easy-to-use version of the system, nor were we able to
provide access to the demo to others online. To provide the factual support
for our claims and to demonstrate how relatively easy such an attack would
be to perform, we released a screen-captured video of the demo, as well as
source code that would allow an advanced user to download the SiteKey image
from any remote, untrusted machine.

Our demo got quite a bit of press attention, with mentions in The Register,
ZDNet and The Washington Post. One of the main points we tried to make when
we put our demo online is that Bank of America is promising its customers
something impossible. By telling users that the SiteKey image guarantees
they are visiting BofA's Web site--and not a phishing page--Bank of America
is giving its users a false sense of security. Were BofA to instead
acknowledge the risks of phishing and man-in-the-middle attacks, users might
be more cautious when logging into suspect Web sites.

Shortly after we released the demo, Louie Gasparini, chief technology
officer for RSA's Site to User Authentication group was interviewed by Brian
Krebs at The Washington Post. He said that our attack demo "overlooks a
number of back-end technologies that financial institutions use to detect
fraudulent transactions."

"What they're critiquing is just the most visible piece to this technology,"
Gasparini added. "There is a whole bunch of risk management and fraud
detection that goes on behind the scenes so that even if a user's account
does get compromised, the bank can still protect that person."

Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of
America with whom I chatted on Tuesday. Reiss made it a point to mention
that SiteKey is just one part of BofA's multipronged approach to security.
However, she declined to comment further when specifically asked if the text
on the SiteKey page is misleading, or if Bank of America has a
responsibility to be honest with its users about the risks of
man-in-the-middle attacks.

Customers expect some companies to lie to them. Very few people expect
cosmetics and skin creams to actually make them look 20 years younger.
Likewise, few would be surprised if the salads at fast-food restaurants are
actually full of calories and fat. However, when a bank tells its customers
that its online banking system is safe and secure, most people would be
shocked to find out otherwise. Thus, a major question remains: Is Bank of
America lying to its customers when it tells them that they can be "certain
(they're) at the valid Online Banking Web site" when they see the SiteKey
image? Do banks have a responsibility to acknowledge the risks, and to
inform consumers of them?

Watch our video of the man-in-the-middle attack against the SiteKey system,
read Bank of America's promises of safety and security on its Web site, and
decide for yourself.
Christopher Soghoian, a graduate student in the school of Informatics at
Indiana University, delves into the areas of security, privacy and e-crime.
He is a member of the CNET Blog Network.