One of the banks I use is Bank of America. When I first signed up for online access I was asked to create a SiteKey, and I thought, wow, this is clever security. SiteKey attempts to prevent phishing attacks by displaying, upon login, a graphic image that the user has set up themselves and given a unique name. This SiteKey is accomplished by using a secure cookie that is stored on the user’s computer; when logging in the server verifies some encrypted data in the cookie and presents you with your image. The premise is based on the theory that if you see your unique image and name, you can be certain that you are logging into their authorized website and not someone pretending to be Bank of America (phishing scam). That sounds all well and good, right? Not exactly, since a clever hacker using social engineering might just be able to get away with grabbing your logon credentials and hijacking your account. The proof of concept demonstrated here uses a man-in-the-middle attack.

Here is the definition from wikipedia:

In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims….

The breakdown occurs because there needs to be a way to allow someone to logon to a new computer. Let’s say you want to check your balance at work. So, BOA will ask you a secret question and if you answer it correctly you will get that cookie and then future logon attempts won’t need to ask you a security question. Once that is set, all future visits to the BOA site will show you your Sitekey graphic once you put in your username.

Here is how the grad student Christopher Soghoian did it. You get an email from a phisher that looks like a BOA email with the logo and everything. Inside the email is a link that tells you to log on to your account. You click on the link and you are directed to a phisher’s site that looks exactly like BOA’s website. The malicious site asks you for your login id, and you type it in. The phisher site goes off (behind the scenes) and grabs your security question. This is normal since BOA allows you to log on to the site with multiple computers and assumes that you are signing on using a computer that you don’t normally use. The phishing site presents your security question that you had setup when you first signed up with BOA. Then the phisher site goes out to BOA and uses your answer to get your site-key and presents it to you on a page that looks perfectly like BOA. You’re like, “hey that’s my Sitekey - all must be well and you proceed with typing in your password. Your login credentials are now known by the bad guys; you have become a victim of a phishing attack. Some do say that, in reality, this attack could not actually be done, since BOA uses clever monitoring tools provided by RSA that would trigger an alarm if the same IP address was repeatedly requesting this type of first time logins. In any case, it just goes to show you how careful and vigilant one should be when entering private information online.

Here are some tips to avoid get phished:

1. Never ever click on a link to log on to any site from an email. If you stick by that rule, you should be fine. Log in by typing the address directly into your browser or use a bookmark.

2. Always look for security lock to the right of the address, or glance at the address bar to see if the URL starts with https. If not, close your browser (don’t even think of logging on). The video of the attack done by Chris shows the lock to the left of the address bar , which actually threw me off for a second until I saw “http://” without the “s” (very clever indeed).

3. Think about getting some anti-phising software that you can download. Firefox has this technology already built into it.