[WEB SECURITY] SiteKey

Brian Eaton eaton.lists at gmail.com
Sat Nov 4 19:48:27 EST 2006 

Resending to CC the list...

On 11/4/06, Thierry Zoller <Thierry at zoller.lu> wrote:
>
> That's the misconception most poeple fall to, actually they don't have to
> spoof _anything_ (tcp related) let me explain.
>
<snip explanation of how the proxy attack would work>

OK, your explanation helped.  I thought you were under the impression that a
phisher could automatically display the right secret image, without first
gaining access to the answer to the challenge question or the sitekey flash
cookie, but you obviously aren't.  You are describing nearly the same attack
that people use today when they try to phish BofA.   They don't seem to
bother with the proxy aspect of the attack.  They just flat out ask the user
"What is the answer to your challenge question?"

One downside to sitekey is that some percentage of users fall for that,
since if it never worked phisher's would have stopped trying.  The other
major downside to sitekey is increased support costs: more calls to the help
desk, because someone wants to log in from a new PC and has forgotten the
answer to their challenge question, or because they are confused by the
secret image.

The major benefit of SiteKey is that some percentage of users have actually
understood enough about how the system works that they stop typing when they
don't see their secret image on the BofA web site.  Those are users who
would have been the victims of the phishing attack, except that SiteKey gave
them enough of a clue that they weren't.  So that's the cost savings.

SiteKey is a net win because the reduced fraud pays for the increased
support costs.  It doesn't make phishing go away, it just makes it less of a
problem.

There are plenty of technologies out there that are more effective than
sitekey, but they have their own sets of problems.  They are either hard to
use, or require special hardware on the client side.  If you have a small
customer base making high-value transactions, those technologies might make
sense.  But they don't work for consumer banks, because the extra cost
overwhelms any reduction in fraud.  Mobile phones can change that equation,
since they can be used for transactional authentication without shipping
special hardware to all of your customers.  But consumer banks seem to be
wary of relying on mobile phones for now.

Well, that's the way I see it, anyway.  Are we on the same page?

Regards,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061104/b3f65813/attachment.html>

More information about the websecurity mailing list