General discussion


2-factor, 2-way authentication - the death knell for phishers?

By deepsand ·
Assuming that this technique is sufficiently widely adopted, what impact will it have in the long run?

While the immediate impact would most likely be the realization of the desired goal, how might phishers and their ilk adapt, ultimately either defeating this measure or devising new avenues of attack?


May 26, 2005

Bank Of America Fights Phishing With New Authentication

By Gregg Keizer Courtesy of TechWeb News
Bank of America, plagued by phishers targeting its 13.2 million online banking customers, on Thursday debuted a new two-factor, two-way authentication scheme in an attempt to deflect identity theft and reduce fraud.
Dubbed SiteKey, the free service allows customers to pick an image, write a brief phrase, and select three challenge questions. The information is then passed back and forth between the customer and Bank of America to confirm each other's identity. SiteKey will debut in Tennessee, said the Charlotte, N.C.-based bank, and roll out nationwide by the end of the year.

Phishers, who try to deceive users into divulging confidential financial information such as bank and credit account numbers, typically use faux Web sites that only look legit. A Bank of America customers registered with SiteKey, for instance, would immediately know that a phishing site was bogus when it wasn't able to provide the proper challenge question.

The same goes in more dire situations, when phishers have hijacked the account username and password via keylogging spyware, a trend that's gaining in popularity among miscreants. Even with that info, the thief won't be able to access a Bank of America account, since he couldn't answer the challenge.

On the customer's side, SiteKey prevents spoofing by letting customers confirm that they're at the real Bank of America site. If after clicking the SiteKey button, the right secret image and phrase don't appear, the customer knows it's a bogus site.

Using SiteKey is like getting a safe deposit box that takes two keys to open, Bank of America executives said. Before the customer and the bank agree to open the box together, they confirm each other's identity. "SiteKey helps you know it's us and we know it's you," said Sanjay Gupta, an exec in Bank of America's e-Commerce group, in a statement

SiteKey's technology is provided by PassMark Security, a Redwood City, Calif.-based authentication vendor.

"Consumers want a safe online environment, but how do they know when they're safe?" said Bill Harris, the chairman of PassMark, in a statement accompanying Bank of America's announcement. "What's striking about the PassMark System is that it's very consumer visible, and that has to be reassuring to the bank's customers."

According to the Anti-Phishing Working Group, more than 80 percent of all phishing attacks target customers of financial organizations such as banks. Bank of America is one of the brands more often hit by phishers, due to its huge size. The bank claims more than 13 million online banking customers and says that 6.4 million of its users pay bills online.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Not the end

by Dr Dij In reply to 2-factor, 2-way authentic ...

They're only one bank using this.
All the other banks and online institutions will be targets till they beef up their systems.

And I'm not sure some customers won't be confused and type in their info anyway. Since it authenticates heavily the actual site but does nothing to prevent clicking on phisher site from an email (instead depending on people, which is less reliable), it won't wipe them out.

Of course is a step in right direction.

Collapse -


by Jellimonsta In reply to Not the end

It is very much a step in the right direction, however it does rely on the user to determine the sites legitimacy upon retrieval of the image and pass phrase.

Collapse -

But, what is your answer?

by deepsand In reply to Agreed


Collapse -


by Jellimonsta In reply to But, what is your answer?

If I had it I wouldn't be working 8-5 M-F!
In all seriousness though, culture will continue to have a dramatic effect on technology, and I am not sure if it is going to be positive or negative.

The human factor is always going to be the weakest link in any security solution. We are social creatures, hence, the success of social engineering.

Collapse -

2 points, and the question.

by deepsand In reply to Not the end

1) The question as posed assumed a sufficiently widespread adoption of this or a similarly strong method of authentication.

2) The number of stupid users is independent of the security measures & practices implemented.

So, the question becomes this.

When the number of viable marks falls below a certain threshold, so that phishng as we now know ceases to be an economically beneficial activity, will the phishers find a way to remain in business; and, if so, by what means?

Collapse -

Some big assumtions

by jmgarvin In reply to 2 points, and the questio ...

While in a perfect world I think you would be right, I think the problem is that:
1) Every bank will develop their own authentication methods
2) Ah, stupid users...I think as long as they exist, no matter how strong the security they will still be taken advantage of...

I don't think the number of viable marks will ever fall below a certain threshhold..."There's a sucker born every minute."

Phishers have very little overhead, so they don't need much to stay in business...

Collapse -

Follow the money.

by deepsand In reply to Some big assumtions

When asked why he robbed banks, Willy Sutton replied "Because that's where the money is."

If sufficiently secure authentication practices are adopted on a widespread basis, the time will come when the only accessible marks are the stupid users. I do not believe that there will then be enough money to be had from them alone for the satisfaction of the con artists.

Given the then reduced number of "banks" that can be easily robbed, there are but 2 logical outcomes:
1) The "demand" by the con men will diminish to reach equilibrium with the "supply" of money to be had; or,
2) The con men will find new "banks" that can be robbed, thereby restoring the "supply" to match the "demand."

So, the question remains. How might the 2nd outcome be realized by the con artists?

Collapse -

Maybe, or maybe not

by w32 In reply to 2-factor, 2-way authentic ...

As far as I am concerned, I feel that 2-Factor Authentication may be a difficult hurdle for phishers online. The 2FA is effective however, it depends on how it is implemented.

Can the 2FA be ever implemented in such a way that phishers can't steal it?

The only time where phishers can't steal information is when both parties, the users and the banks are vigilant. You can have the best security technology in the world. However, with a little slip of carelessness, information can still be stolen.

Probably the only time where phishers will cease to exist is when suddenly the world starts to have barter-trade again. No technology needed, no security needed. Just you, your item, a willing trader and his item.

Collapse -

News Flash (July 2007) Two factor authentication hacked

by robo_dev In reply to 2-factor, 2-way authentic ...

2FA does not protect against real-time MITM phishing attacks.

Back to Community Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums