{"id":22,"date":"2006-01-11T15:19:42","date_gmt":"2006-01-11T19:19:42","guid":{"rendered":"http:\/\/blogs.law.harvard.edu\/zeroday\/2006\/01\/11\/bank-of-america-tries-to-fight-phishe"},"modified":"2006-01-11T15:19:42","modified_gmt":"2006-01-11T19:19:42","slug":"bank-of-america-tries-to-fight-phishers","status":"publish","type":"post","link":"https:\/\/archive.blogs.harvard.edu\/zeroday\/2006\/01\/11\/bank-of-america-tries-to-fight-phishers\/","title":{"rendered":"Bank of America Tries to Fight Phishers"},"content":{"rendered":"<p><a name='a30'><\/a><\/p>\n<p>As I signed onto my account today I was forced into registration for a new security service of Bank of America.  The system is called SiteKey and it is a pseudo two factor authentication system.  The idea is that the user will choose an image to display on the site after authentication.  If the site doesn&#8217;t display the image then the user should begin freaking out and realize that they have just been phished.<br \/>\nThe images themselves are retrieved via a dynamic URI which uses some very large hashes.<br \/>\nhttps:\/\/sitekey.bankofamerica.com\/sas\/getMySiteKey?it=[96 char hash]&amp;iv=[15 char hash]<\/p>\n<p>On the surface this seems like a decent system.  I think the implementation is a bit off (backwards actually).  When a user has cookies enabled and the site can then recognize the system only an ID field is presented.  After entering the ID the user is taken to a real authentication page with both username and password fields.  This authentication screen will display the SiteKey image.  What&#8217;s wrong with this?  If you are coming from a computer the system does not recognize then both username *and* password are required and then the SiteKey image is presented.  Therefore it would not be impossible for a phisher to simply make calls after you enter your authentication info in a fake site to retrieve your actual SiteKey from the BoA website.  <\/p>\n<p>This system will raise the stakes in the phishing game but I don&#8217;t know if it will do so enough to thwart any but the most crude of phishers.  If I have enough time I will try to mock up a proof of concept.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As I signed onto my account today I was forced into registration for a new security service of Bank of America. The system is called SiteKey and it is a pseudo two factor authentication system. The idea is that the user will choose an image to display on the site after authentication. If the site [&hellip;]<\/p>\n","protected":false},"author":214,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/users\/214"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":0,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"wp:attachment":[{"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/archive.blogs.harvard.edu\/zeroday\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}