lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri May 27 18:39:19 2005
From: niceman at att.net (Mike N)
Subject: Bank of America SiteKeys ineffective?

>From: "Mary Landesman" <mlande@...lsouth.net>
>Subject: Re: [Full-disclosure] Bank of America SiteKeys ineffective?

> >From my read of the news.com article and admittedly limited knowledge of
> SiteKeys, it does not seem to me their intent is to make sure the user
> knows  they are at a legitimate BOA page. Rather, it seems to me
> the intent is to
> ensure that if Betty Boop logs into her BOA account, that she's doing so
> from a pre-authorized Betty Boop specified computer.


I found the official press release at

http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm

   In the press release, one of the 2 key goals is to "Confirm the Web 
site's validity."  From the description, it will do no such thing - it only 
confirms a possible link from their browser to the BofA web site, not that 
they are linked correctly and solely to the proper BofA web site.

  Even the challenge-response scenario is nearly useless.   If for some 
reason the  phisher in the middle couldn't steal the secure cookie and pass 
it on to the real site, the customer might fall for the challenge-response 
questions being relayed from the phisher and answer them; the phisher would 
end up with the challenge-response answer as well as the login.   Many 
people regularly dump their cookies for privacy reasons; those people will 
become used to seeing the challenge-response and they won't realize they're 
being taken.

 The press release mentions that they are using PassMark 
http://www.passmarksecurity.com .

   The PassMark is better than nothing, but doesn't accomplish anything in 
the end except to make the customer feel better.   It's not as effective as 
inspecting the HTTPS certificate, but training 13 miillion customers how to 
inspect their certificates and actually have people look at their 
certificates is also probably unrealistic.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ