I predicted it in my recent post "Doomsday Hackers and Evildoing Robots" but it hurts all the same...
Bank of America has announced adoption of Sitekey technology, developed by Passmark Security to combat ID theft. But Sitekey suffers from the classic misconception underlying so many security products that the attacker will not bother to adapt in any way to the defense (even to sweep juicy bank accounts). Rather than restore trust to online banking, Sitekey promises to confuse and inconvenience customers, instilling a false sense of security that will, when it quickly fails, further impede online banking.
Sitekey promises confidence that customers are logging into the genuine bank, not a spoof site, by asking customers to upload a "trusted image" that the bank will display when accessed from a "trusted computer". To establish trust on the device (because it's a fresh computer, or the cookies have been deleted, which happens quite often), SiteKey asks the customer some challenge questions. Passmark claims to prevent phishing because users will be trained not to provide passwords to spoof sites that can't display the trusted image.
So sometimes B-of-A will ask the questions and sometimes it won't, depending upon the cookies. Sometimes it shows the image right away, and sometimes it first asks the challenge questions. Somehow, the customer is supposed to understand all this, and the next time he or she is phished, figure out that something important (the image) is missing. So there's a lot of set up, and some rather generous predictions around customer sophistication.
The bigger problem, though, is that Sitekey utterly fails to defeat phishing or malware attacks. What stops phishers from simply logging into the bank at the same time that the victim is logged into the spoof site? The phishers pass the challenge questions from the bank to the customer, and shuttle the responses right back. The bank then exposes the trusted image to the phisher, which uses it to prompt the customer for the password.
And what about slipstreaming malware that simply waits on your PC for authentication to happen before passing your session to the thief? These attacks may be relatively uncommon today, but you can expect B-of-A to change that.
But wait, don't change banks so fast! According to the same AP article, Wachovia is rolling out a similarly vulnerable system, but one that is also wildly expensive to deploy and support. Wachovia will distribute tokens that display a different number every 60 seconds, so that Wachovia "knows" that the token holder, not a phisher, is logging in. Forget about the problems associated with dead batteries and lost tokens. Those nasty slipstreamers and man-in-the middle phishing attacks defeat this security system just as handily.
Whoever said Crime Doesn't Pay wasn't an ID thief in the year 2005. Until banks adopt all 3 of the following (easy and inexpensive) authentication methodologies, I'll continue to bank offline:
1. Authenticate the transaction
Don't let slipstreamers take over my validly opened online session only to execute unauthorized transactions.
2. Escalated Response
If my bank profiles transaction risk and escalates authentication based on that risk, I won't have to deal with inconvenient security mechanisms except when it really matters. And when it matters (e.g. cash transfers), I will be pleased to see the escalated security.
3. Multi-channel authentication
This method involves a computer that calls the customer on a separate network (POTS, cell phone, SMS) to prompt the customer for an authorization code. Unlike multi-factor authentication, multi-channel authentication is not defeatable by slipstreamers and man-in-the-middle attacks. It's also much less expensive, and can cheaply layer on biometric security by analyzing the voice pattern of the person at the other end of the phone line.