mailing list archives
"A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® Service " (seen on slashdot)
From: Paul Vixie <paul () vix com>
Date: Thu, 12 Apr 2007 18:19:55 +0000
We present this demonstration of a "deceit-augmented man in the middle attack"
against the SiteKey ® service used by Bank of America (the underlying
technology is also used by other companies). This, or a similar attack, could
be used by a phisher to deceive users into entering their login details to a
fraudulent website. BoA's own website tells users: "[W]hen you see your
SiteKey, you can be certain you're at the valid Online Banking website at Bank
of America, and not a fraudulent look-alike site. Only enter your Passcode
when you see the SiteKey image and image title you selected."
We believe that this statement is not completely true, as our deceit-augmented
man-in-the-middle attack shows. Whereas a normal man-in-the-middle attack
identically replicates the attacked site, a deceit-augmented man-in-the-middle
attack may present the user with a slightly different user interface than the
regular interface. Man in the middle (MiTM) attacks are not a new threat -
they have been known about for a number of years, and phishers have already
used them to target Citibank and other online banks.
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.
- "A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® Service " (seen on slashdot) Paul Vixie (Apr 12)