WASHINGTON--If your in-box is pelted by a seemingly ever-growing supply of inquisitive e-mails purporting to come from the likes of PayPal and Bank of America, the federal agency charged with consumer protection says it feels your pain.
FTC Chairman Deborah Majoras
The deceptive technique--in which crooks dispatch e-mails requesting sensitive personal information, typically by masquerading as financial institutions--"is one practice that absolutely drives me insane," Federal Trade Commission Chairman Deborah Platt Majoras told attendees at the first National Cybersecurity Awareness Summit, which was put on here Monday by a nonprofit partnership of federal government agencies and software vendors.
That's because phishing, more so than some other forms of cyber malice, is a prime example of a tactic that would all but evaporate if more consumers were better informed of what to look out for, she suggested. (After all, it's also an only slightly higher-tech variant of one of the oldest scams in the book--the "ph" comes from the original telephone-based variety of phony information-seeking.)
"I feel like if we could just teach every consumer what this means, never respond to that kind of contact, and train them to hit delete and not reply, we could clear this up," she said.
To that end, the agency is concocting a new video to supply "important information about phishing" and plotting other ways to "revitalize consumer education efforts," Majoras said. Working with the financial sector to spread the word will be critical because the messages so often rely on confusing consumers with the real thing, she added.
Attempting to go after the enterprising e-mailers in court will play some role, too. Majoras said the commission has already targeted phishers with three civil cases and has also worked closely with the Department of Justice to pursue criminal penalties, which the FTC doesn't have authority to levy, as what they hope will supply a further deterrent.
At the moment, the FTC has about two dozen open investigations involving corporate data security practices, she said, adding, "where appropriate, we will again take enforcement actions."
But it's questionable whether such actions will really make a dent. Phishing attempts have by far outnumbered any other sort of malicious activity reported to the U.S. Computer Emergency Readiness Team (US-CERT) since 2003, accounting for nearly 42,000 of some 63,000 total reports, Department of Homeland Security cybersecurity czar Greg Garcia told summit attendees.
Still, there's no reason for panic, said Wayne Abernathy, who represents the American Bankers Association. It's actually quite simple--banks don't do business by asking consumers for basic account information via e-mail, he said. "If customers receive e-mails for asking such information, they should consider them to be fraudulent in nature," he told summit attendees.
A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.
Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?
Bank's logo
(Credit: BofA)Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.
Some banks choose to issue their customers a cryptographic hardware token (a keychain with a digital display that spits out a new random number every 60 seconds). Others, especially those banks with less profitable customers, have opted to instead adopt software solutions. The advantage of this, of course, being that they don't have to spend any money to send widgets out to their customers.
BofA's SiteKey two-factor authentication system is essentially a rebadged version of the PassMark system sold by RSA/EMC. Other banks that have licensed the technology include Pentagon Federal Credit Union, Vanguard, and U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems select a graphical image and phrase, which are then displayed to them every time they login to the Bank of America Web site from "trusted" computer (that is, one that BofA has seen before).
According to Bank of America's own numbers (PDF), over 21 million customers use their online banking system. BofA's Web site promises customers that the SiteKey system will keep them safe, stating: "You know it's really us--when you see your SiteKey, you can be certain you're at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."
How SiteKey Works
(Credit: Bank of America)The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.
On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey. Based on advice from lawyers, we did not release an easy-to-use version of the system, nor were we able to provide access to the demo to others online. To provide the factual support for our claims and to demonstrate how relatively easy such an attack would be to perform, we released a screen-captured video of the demo, as well as source code that would allow an advanced user to download the SiteKey image from any remote, untrusted machine.
Our demo got quite a bit of press attention, with mentions in The Register, ZDNet and The Washington Post. One of the main points we tried to make when we put our demo online is that Bank of America is promising its customers something impossible. By telling users that the SiteKey image guarantees they are visiting BofA's Web site--and not a phishing page--Bank of America is giving its users a false sense of security. Were BofA to instead acknowledge the risks of phishing and man-in-the-middle attacks, users might be more cautious when logging into suspect Web sites.
Shortly after we released the demo, Louie Gasparini, chief technology officer for RSA's Site to User Authentication group was interviewed by Brian Krebs at The Washington Post. He said that our attack demo "overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions."
"What they're critiquing is just the most visible piece to this technology," Gasparini added. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."
Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of America with whom I chatted on Tuesday. Reiss made it a point to mention that SiteKey is just one part of BofA's multipronged approach to security. However, she declined to comment further when specifically asked if the text on the SiteKey page is misleading, or if Bank of America has a responsibility to be honest with its users about the risks of man-in-the-middle attacks.
Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?
Watch our video of the man-in-the-middle attack against the SiteKey system, read Bank of America's promises of safety and security on its Web site, and decide for yourself.
- prev
- 1
- next
