• On GameSpot: Wii Fit tells 10-year-old she's fat
advertisementAT&T Tech Support 360
September 20, 2007 6:15 AM PDT

False security: Is Bank of America lying to its customers?

Posted by Chris Soghoian
  • Print

A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.

Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?

Bank's logo

(Credit: BofA)

Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a keychain with a digital display that spits out a new random number every 60 seconds). Others, especially those banks with less profitable customers, have opted to instead adopt software solutions. The advantage of this, of course, being that they don't have to spend any money to send widgets out to their customers.

BofA's SiteKey two-factor authentication system is essentially a rebadged version of the PassMark system sold by RSA/EMC. Other banks that have licensed the technology include Pentagon Federal Credit Union, Vanguard, and U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems select a graphical image and phrase, which are then displayed to them every time they login to the Bank of America Web site from "trusted" computer (that is, one that BofA has seen before).

According to Bank of America's own numbers (PDF), over 21 million customers use their online banking system. BofA's Web site promises customers that the SiteKey system will keep them safe, stating: "You know it's really us--when you see your SiteKey, you can be certain you're at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."

How SiteKey Works

(Credit: Bank of America)

The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey. Based on advice from lawyers, we did not release an easy-to-use version of the system, nor were we able to provide access to the demo to others online. To provide the factual support for our claims and to demonstrate how relatively easy such an attack would be to perform, we released a screen-captured video of the demo, as well as source code that would allow an advanced user to download the SiteKey image from any remote, untrusted machine.

Our demo got quite a bit of press attention, with mentions in The Register, ZDNet and The Washington Post. One of the main points we tried to make when we put our demo online is that Bank of America is promising its customers something impossible. By telling users that the SiteKey image guarantees they are visiting BofA's Web site--and not a phishing page--Bank of America is giving its users a false sense of security. Were BofA to instead acknowledge the risks of phishing and man-in-the-middle attacks, users might be more cautious when logging into suspect Web sites.

Shortly after we released the demo, Louie Gasparini, chief technology officer for RSA's Site to User Authentication group was interviewed by Brian Krebs at The Washington Post. He said that our attack demo "overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions."

"What they're critiquing is just the most visible piece to this technology," Gasparini added. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."

Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of America with whom I chatted on Tuesday. Reiss made it a point to mention that SiteKey is just one part of BofA's multipronged approach to security. However, she declined to comment further when specifically asked if the text on the SiteKey page is misleading, or if Bank of America has a responsibility to be honest with its users about the risks of man-in-the-middle attacks.

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

Watch our video of the man-in-the-middle attack against the SiteKey system, read Bank of America's promises of safety and security on its Web site, and decide for yourself.

Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Topics:

Tags:

phishing,

man-in-the-middle attacks,

Bank of America,

online banking

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
NASA, Google Maps track Southern California wildfires
Sprint first to offer HTC Touch Pro
Flipping out: RIM BlackBerry Pearl Flip 8220 debuts
Sprint HTC Touch Diamond outed early
Woman to virtual ex: 'I won't be ignored!'
Add a Comment (Log in or register) 8 comments
Trust everyone,
by rcrusoe September 20, 2007 8:24 AM PDT
but cut the cards. (i.e. verify, verify, verify)

While I was not aware of this vulnerability, I've always thought it wise to verify ssl credentials on every page, every time I do business online - whether on BofA's site or any other commercial site.

And to be aware of what I need to do to take advantage of BoA's $0 liability policy.

http://www.bankofamerica.com/onlinebanking/index.cfm?template=security

Is BofA lying? IMO, that depends on what they do when a customer falls victim to something like this.
Reply to this comment
Something for Marketing Profs
by groyal September 20, 2007 8:28 AM PDT
A marketing assertion is something that falls into the reasonableness test which is one big fuzzy line. We have consumer protection agencies whose job it is is to test for reasonableness in marketing if someone actually objects to it.

The difference between the face cream and the BOA statement is that in the face cream example, the outcome is wholey objective as to whether or not a person will look 20 years younger. Whereas the out come of the BOA statement is mostly objective. You can prove the opposite. Even if it is 99.9% safe then the assertion is not true, as you may have proved. However the problem for banks is that how much does it cost to get the extra .09999% reliability?. Then again that is what insurance is for.
Reply to this comment
Multi-pronged Plastic Spork
by arluthier September 20, 2007 8:30 AM PDT
If this multi-pronged approach banks use is so successful at protecting the customers (as the BofA quote mentions) how is it that so many man in the middle attacks have been successful?
Reply to this comment
Correction...
by ddesy September 20, 2007 8:37 AM PDT
"Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon."

This isn't a "bandwagon." It's now legally required that banks have two-factor authentication. There are a number of different types, but one of them must be used.
Reply to this comment
Correction #2
by sumo300 September 25, 2007 8:36 AM PDT
This legal requirement is for true two-factor authentication (something you know, something you have, etc). SiteKey is an extra "something you know", which does not constitute it being two-factor authentication. SiteKey is garbage.
Surprised?
by alflanagan September 20, 2007 9:50 AM PDT
Does anyone expect any corporation to tell the truth any more? We've created a culture that rewards them for lying and punishes them for telling the truth. Now people can't even tell the difference any more.
Reply to this comment
Guarantee vs. marketing claim
by gregconnor September 20, 2007 11:25 AM PDT
B of A states you "can be certain you're at the valid (B of A site)" when you see the SiteKey. This is not a guarantee, but rather a reasonable marketing claim that customers should take with a grain of salt, just like any other marketing claim. Elsewhere on the page, they position it as an "additional layer of identity verification". Their use of the word "certain" is reasonable - I can't imagine anyone thinks it is 100% safe. It's arguably safer than offline banking, but that's another conversation.

A guarantee is totally different from a marketing claim - it is dependent on the bank's actions in the case of a failure of their OLB security. You didn't provide any links, and maybe B of A does not state it explicitly, but I'm reasonably sure that they would make whole any customer who loses money due to a MITM attack that compromises its SiteKey.
Reply to this comment
by whythebite September 21, 2008 9:43 PM PDT
while on the phone to B of A 11 days ago, clarifing the credit limit on my $ 50,000 HELOC,in which for 3 months my total outstanding balance kept going $71.00 over the 50000 and i used $49,850 purposely not to exceed the LOC.My monthly payment is $221.00 per month( to my surprize, all of everbodys Bof A HELOC payments are in the rears) taking my outstanding balance to $50,071.00 . this was brought to my attention several months ago when making a phone payment , that all thought you have not reached your credit limit , payments in the rears puts you over your limit each month and this will be reported to the credit bureau. (the person at that time sounded honest so I will take heed and make sure it gets done) .so for months I have been calling back to make sure this was not damaging my credit score.after calling and calling maybe 5 times to Bof A , phone personal all said they have no referance to this credit reporting and I ask them to check with their boss and time after time, oh no sir that makes no bearing on your credit or oh no this is not reported monthly . Eventually I was not taking the chance and went with my gut feeling, so this time calling I insisted on depositing $80.00 into my BofA Equity Maximizer HELOC in which took my total principal balance down to $49,770.00 , that person said this deposit will not reflect on that acc until midnight tonight. *** while on that same phone call 11 days ago *** I also inquired as to an increase on my home equity line of credit , and Bof A said there is a $10,000 minimum increase, I did not need that much,this $ was to cover odds and ends credit card ($3,400) used durring my remodel which is pretty much finished . when I found out the APR on my loan would go from a 5.25 % to 7.25% taking my payment from 221.00 to 343.00 per month,well we won't be needing that loan increase! So I said to the person NO, NO, NO, I will not accept that ,I can pay the cards off faster ]so i declined and asked for a confirmation #on the decline of LOC increase, and I was told we don't issue a confirmation# for the decline of LOC increase. but we B of A will give you a referance # pertaining to the $80.00 payment above ,so I got the ref # and the persons name ,time,date yada yada. the next morning apx 10am I checked the balance in my checking acc and the $ 80.00 had been deducted from my checking acc. I thought great!.and for some odd reason that afternoon I checked my check balance again. misteriously the $80.00 was credited back to my checking acc.I was exhausted on day 2.Day 3 I am up early PST, so I call south Carolina B of A HQ and because I'm located california they said I will have to call the CA HELOC office , once again I called Bof A CA HELOC office to make sure that " additional" payment was made and to make sure the application cancelation for LOC increase was reconized, and I questioned the fact why my check acc balance the very next morning showed a $80.00 deduction on day 2 and in the afternoon that same day the check acc bal showed no deduction was ever made,the person paused , I figured must be looking at the account ! the B of A person responds NO that payment was not credited yet, and yes that LOC increase app canceled . 3 days later that "additional" HELOC payment was credited . WELL THIS WHAT HAPPENED yesterday I recieved 2 letters from B of A ,one letter states that we sincerely regret we are not able to approve your recent HOME EQUITY LINE OF CREDIT application ( which I did not want ,just inquired ),and the other letter is a copy of my credit rating from EXPERIAN. my credit rating droped 72 points in 67 days, during this time there were numerous dropped phone calls, so many I finally asked one of the phone people and their responce was well thats been happening in the mortgage department .I have to say oh thank you very much Bank of America for allowing me to be such a valued customer. PS;you got me for 10 extra points on the way into this loan, because of your HQ paper work dept apparently did not receive what your loan officiers sent 3 different times with fax transmission received notifications, stalling for time during the loan process allows the financial institution to check your credit rating every 30 days( lowering your credit score and raising your credit rate . mine took 36 days,this is not accidental or careless.Bank of
Reply to this comment
advertisement

In the news now

Photos: Gadgets we're thankful for

Some of your favorite Crave contributors reveal which gadget or aspect of technology they're feeling most grateful for these days.



BlackBerry Storm packs more of a drizzle

review Phone has an innovative touch screen that provides tactile feedback, but the onscreen keyboard is a bit cramped, and the smartphone can be sluggish, and speakerphone quality is choppy.



About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET