RE: Bank of America authenticates via mobile phone

The sitekey could mitigate the majority of automated attacks on user/password scheme (at least for now!). And this as rather low cost, additionally it's easy to understand and apply by the users. This alone helps much to have a more secure on line banking experience. In brief, my 2 cents is that sitekey adds much to the on line banking.

This hardly seems low-cost. Instead, BoA is just passing the cost of the increased security off to the customers. I'd much rather pay $5 for a real token than face a $0.15 charge every time I wanted to check my bank account. Sounds more like the wireless companies and BoA have struck a nice little deal.

I have not used the SafePass system, but I do not believe that it will make online banking any more secure. In addition to stealing a username and password, a phishing website could easily steal a SafePass token by asking the user to submit one "for added security." The phishing server would then take the user's stolen credentials, log in to BoA's website, and post a fraudulent transaction that requires a SafePass token. Next, BoA would send out a SafePass token, and the user (reassured by its arrival) would then enter into the phishing page. The phishing server would then send the SafePass token to BoA, confirming the transaction. While this sounds outlandish, phishers are already using a similar technique to steal the sitekey "security images" right off of banks' websites.

As the article mentions, this system does little to protect users from viruses and man-in-the-middle attacks. Either of these attacks could simply rewrite BoA's website before it is displayed to the user and change the details of the transaction that the user submits. When the user goes to authorize his usual payment to BigSafe Electric Company, he could be authorizing a fraudulent transfer to Nigeria instead. If an attacker can make a user think that a phishing page is real or alter the communication between him and his bank's server, there is nothing that any form of security, no matter how contrived, can do to stop the thief from submitting a fraudulent transaction.

This system asks you to confirm something without saying what it is you're confirming, and that's dangerous. Worse, if SafePass SMS messages include details about your transactions, they would be sending confidential banking details over an unencrypted channel—which is never a good thing. With the above in mind, SafePass constitutes "security by hand-waving" and doesn't actually make its users any more secure. SMS messages are expensive, and this false sense of security costs BoA's customers anywhere from 2 to 5 cents per message.

What can you do besides keep your machine free of viruses? The best form of internet security, SSL encryption, was first invented way back in 1994. Always check that the URL displayed in your browser is your bank's website and that the URL starts with "https://." Pay attention to any security warnings that your web browser displays. If you learn how to do these things properly, you won't need any other form of "security." While two-factor security devices such as SafePass, smart cards, RSA SecurID tokens, and biometric authentication work great under certain circumstances, none of these things will ever stop phishing attacks.

How disappointing this is. Bank of America had an opportunity to make an improvement, yet this is still completely vulnerable to malware. They should have opted for transaction-based authentication, not session based authentication.