Comments on: Security Review: Online Banking

By: justin

justin — Mon, 18 Feb 2008 08:19:57 +0000

Max-

Though it may be the case that the site key mechanism has failed thus far to be effective for the average user, if viewed as more of an “opt-in” security measure I find it highly effective — because I do opt to use it to enhance the security of my sessions.

I try to be mindful of warnings about security certificates, but having the site key mechanism gives me nearly full confidence that the site isn’t being spoofed. Without it, there would exist the possibility that someone could spoof the BoA site without SSL and I wouldn’t notice it. I would hope not, but who knows.

In any event, it certainly would be nice if they threw up a bogus site key identifier every once in a while. But I suppose the risk is that it would cause more harm than good, as I suspect that a large percentage of people would refuse to internalize what something like the “sitekey” is or how it can be useful, no matter how many times the virtues are extolled.

By: esoteric

esoteric — Mon, 18 Feb 2008 02:10:42 +0000

I recently switched to Bank of America, and another defense mechanism employed by this bank is that it keeps track of the valid IP addresses that are allowed to login to a particular account. When a user tries to login to his or her account from a new IP for the first time, BoA’s website asks the user to answer a personal security question before allowing the normal login system to be used. This feature, along with the aforementioned graphical site key system, shows that Bank of America is really attempting a defense-in-depth approach to online banking. These added security mechanisms are of little hassle to a legitimate user, but represent major roadblocks for an adversary.

By: Robert

Robert — Thu, 14 Feb 2008 06:26:02 +0000

Thanks for the info, Max. It seems like the most difficult piece of security to control is the end user. This leads to an interesting ethical question: At what point does the burden of security pass from the company to the user?

By: Max Aller

Max Aller — Thu, 14 Feb 2008 00:45:23 +0000

Hey Robert.

While the idea of a site key is nice, it’s simply not effective, as outlined in this news article that cites a Harvard/MIT study from a little over a year ago. Basically, people don’t notice and/or care if their site key is missing. That seems a little problematic. Despite the age of this article, Bank of America still has done nothing about it…in my mind, BoA should have 1 in every, oh, 20 logins result in a page that doesn’t have their site key. If the user proceeds as usual by typing in their password, a “You Could Have Been Phished” warning pops up. If you look for the link “Why isn’t my site key shown?” it takes you to the regular login page with a happy message at the top to the effect of “Congratulations, you passed”.

Anyway, read the article. It’s interesting.

By: Robert

Robert — Wed, 13 Feb 2008 23:11:14 +0000

Many banks are also implementing various other mechanisms to ensure identity and protect against phishing. Bank of America, for instance, requires each user to select an image from a large bank of images. They call this a Site Key and it is used in conjunction with the SSL cert to ensure site identity. This is easier for the average user to use because they don’t have to worry about browswer warnings or certificate problems.

The Alaska USA credit union requires users to enter their password on a keypad that contains randomly placed numbers and letters. The keypad also has a background that is of the user’s choosing. This is another mechanism to ensure identity and protect customers.