In my article “Spear-Phishing – New Angles On An Old Game” (http://www.cafeid.com/art-spear.shtml), I wrote about a variation on “traditional” e-mail phishing that has proved to be more effective than random casting of stink-bait into a vast pool of random e-mail addresses.
The increase in effectiveness is the result of more focused targeting of potential victims through the use of real, usually stolen, corporate documents and so on that make the bait seem more legitimate to a much smaller group of recipients. This week, we take a look at PassMark’s SiteKey, the first solution to be adopted by a major institution in its effort to combat phishing.
The Charlotte-based Bank of America is in the process of rolling out its plans to adopt the PassMark system in an effort to secure its online communications with its 13 million customers across the country. The Bank should be applauded for implementing such extensive changes to its online security model in spite of the fact that phishing is not yet, in and of itself, costing banks a great deal of money.
What it is costing the bank, however, is online-banking customers. ConsumerAffairs.com reported late last month (http://www.consumeraffairs.com/news04/2005/gartner.html) on a Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. For financial services companies like Bank of America that seem intent on removing the element of human contact once and for all from customer relations, that lack of confidence has to be disturbing.
As the practice of phishing becomes more and more sophisticated, so will the effort to combat it; and you can be sure that effort will be fraught with nominal solutions and opportunistic hand-waving that provide little more than a false sense of security. And while PassMark’s system is better than nothing, it fails to address the roots of the problem and may give consumers the mistaken notion that the problem is someone else’s to solve.
What Is SiteKey?
PassMark calls its system a “Two-Factor Two-Way Authentication”(TM) system. A two-factor system, according to the PassMark website, is one that relies on two identifying bits of information to authenticate a transaction. One factor might be a traditional password, and the second (the problematic one, apparently), might be a key fob or even some sort of biometric reader, items which are “not practical for the consumer market with millions of users.” A two-way authentication system provides the capability not only for you to prove to the bank you are who you claim to be, but also for the bank to prove to you that it is really the bank sending you that e-mail or presenting you that website page.
To implement the two-factor system, PassMark bypasses traditional second factors like hardware devices that customers are apparently too dumb to maintain in their possession. “Even if you give them away for free,” the PassMark website chides, “many users will forget them or lose them.” Instead, the company takes a look at your computer and creates a unique “fingerprint” of the machine, consisting of things like HTTP headers, the IP-address, software configurations and even its geographic location (based on IP-address geomapping). It then has something to go by the next time you visit the site.
For two-way authentication, SiteKey assigns a secret image known, ostensibly, only to the customer and to the institution. Customers logging into the company’s website will see the image and recognize it as a marker that the site is legitimate, and outgoing e-mail from the company to the customer will also carry the image to mark legitimate e-mail.
Sounds Great. What’s Wrong With It?
The SiteKey system fails, according to IT Security Architect Doug Ross (http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html), to address the fundamental problem of phishing because it leaves the customer susceptible to the classic “Man in the Middle” false-storefront attack. Since there’s no way to distinguish the customer’s virgin computer from a phisherperson’s “malicious, zombie PC”, according to Ross, “the zombie PC could present a false BofA store-front to the victim and proxy login information from the user to the bank and any resulting pages and images from the bank to the victim.”
If Bank of America doesn’t recognize the computer you’re on, it will ask you one of your “secret questions” and a correct answer will display the SiteKey. Reasons it might not recognize your computer include, but aren’t limited to, the possibility that you’re on a different computer, that you’re behind a firewall or that you don’t allow it to place the secure cookie.
Even if SiteKey does recognize your computer, there’s no indication that you’re the one using your computer or that it is even in your possession. People lose laptops, too, in a variety of ways.
In addition, and this is probably the most worrying caveat, given the recent rash of massive security breaches at large storehouses of personal information, the SiteKey approach still relies on the storage of images and so on in your personal records on the merchant’s database. Compromise of this data would leave you just as vulnerable as you’d be if your login and password were obtained.
Toward A Real Solution
The PassMark system is better than a standard login/password authentication scheme when it comes to securing the communication between you and the institution. However, it is Bank of America’s (and, to be fair, most other such institutions’) efforts to cut costs by removing human contact almost entirely from the customer service equation that has made phishing more and more lucrative by driving more and more customers to banking online.
Still, there are ways to improve this process. Ross nails it in a sidebar relating to the Bank of America website: “isn’t it odd that when you go the Bank of America site, you immediately note that the page is presented in cleartext (“http://”), not SSL (“https://). The first step to combat phishers is to provide an SSL connection… first time, every time. Customers need to get used to expecting a secure connection on every BofA page.”
Here at Cafe ID (http://www.cafeid.com), we agree wholeheartedly. If you have a secure certificate, actually using it will go a long way toward securing transactions on your site, certainly further than putting up a cute picture of a dog and asking the customer to take that as evidence of a site’s legitimacy. Certificate authentication remains the best way for the company to prove its identity to the customer. Besides, there’s no downside to securing your website, particularly for companies dealing in online transactions involving money.
With online banking, what customers gain in convenience and they lose in security. It may be time to consider stepping back a bit from technology’s bleeding edge and just go down to the bank. But the convenience of online banking and bill-paying cannot be ignored. Customers want this capability, and they expect banks to work out a solution. Unfortunately, a real solution to the problem of phishing requires more than clever challenge-response systems. It requires, first and foremost, that the end-users take control of their online security rather than leaving it up to a third party.
How do you do this? Pay attention when you’re online. No reputable companies are going to attempt to conduct important business via e-mail, and so answering e-mails alerting you to some problem with your account is generally a bad idea. Proceed straight to the company’s website by typing it into your browser bar, and if you don’t see a secure connection indicator in your browser, don’t enter personal information about yourself.
The best way to deal with a bank used to be to establish a solid personal relationships with its human employees; unfortunately, however, this is becoming an increasingly unworkable option. I suppose we can hang up the idea of going back to the teller window; but until better controls are in place on both the way personal information is communicated and the way it is stored, suspicion will remain the most effective way of keeping yourself protected against phishing.
Trevor Bauknight is a web designer and writer with over 15 years of
experience on the Internet. He specializes in the creation and
maintenance of business and personal identity online and can be
reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free
tryout of the revolutionary SiteBuildingSystem and check out our
Flash-based website and IMAP e-mail hosting solutions, complete with
live support.