20

As described here, some banks use a SiteKey mechanism in an attempt to provide a defense against phishing. (This is a scheme where the user is shown a personalized image (each user has their own custom image) after the user enters their username but before they enter their password. In theory, this is supposed to let the user verify they are on BOA's page, not on a phishing site.) The comments and answers indicate some issues with this approach, but that question wasn't about whether or not the approach is effective.

For future visitors who might be considering using the same scheme, I'd like to have the question on the site:

Is this a valid defense against Phishing? Perhaps not by itself, but as one step in a defense-in-depth strategy, or does this give a false sense of security? If so, is it just useless, or is it more dangerous to employ this scheme because of the false sense of security?

David Stratton
  • 2,686
  • 2
  • 21
  • 37

3 Answers3

24

SiteKey is not an effective defense against phishing. In principle, it could be helpful for a tiny population of expert users who are very conscientious about examining the image and know how web security works, but those users are rare. However, a mechanism like this really needs to help protect average users, not just computer security experts. And, for typical users, SiteKey is not an effective defense against phishing, for reasons explained below.

The good news is that, today, phishing appears to be relatively low on the scale of risks. Phishing attacks don't seem to be very successful today. Therefore, the deficiencies in SiteKey may be acceptable. That said, SiteKey is mostly security theater: it doesn't add much security, for the typical user.

I should elaborate on how I can make such strong statements. As it happens, this question has been studied in the research literature and there is experimental data on it -- and the data is fascinating. The data turns out to have some surprises for all of us!

Experimental methodology. SiteKey's use of a custom "security images" (and security phrase) has been evaluated in a user study, conducted with ordinary users who were asked to perform online banking in the lab. Unbeknownst to them, some of them were 'attacked' in a controlled way, to see whether they would behave securely or not and whether the security images helped or not.

The researchers evaluated two attacks:

  • MITM attack: The researchers simulated a man-in-the-middle attack that strips off SSL. The only visible indication of the attack is that lack of a HTTPS indicator (no HTTPS in the address bar, no lock icon, etc.).

  • Security image attack: The researchers simulated a phishing attack. In this attack, it looks like the users are interacting with the real bank site, except that the SiteKey security image (and security phrase) is missing. In its place, the attack places the following text:

    SiteKey Maintanance Notice: Bank of America is currently upgrading our award winning SiteKey feature. Please contact customer service if your SiteKey does not reappear within the next 24 hours.

    I find this a brilliant attack. Rather than trying to figure out what security image (or security phprase) to show to the user, don't show any security image at all, and just try to persuade the user that it's OK that there is no security image. Don't try to defeat the security system where it is strongest; just bypass the entire thing by undermining its foundation.

Anyway, the researchers then proceeded to observe how users behaved when they were attacked in these ways (without their knowledge).

Experimental results. The results? The attacks were incredibly successful.

  • Not a single user avoided the MITM attack; every single one who was exposed to the MITM attack fell for it. (No one noticed that they were under attack.)

  • 97% of those exposed to the security image attack fell for it. Only 3% (2 out of 60 participants) behaved securely and refused to log in when hit with this attack.

Conclusions. Let me attempt to draw some lessons from this experiment.

  • First, SiteKey (and security images) is ineffective. SiteKey is readily defeated by very simple attack techniques.

  • Second, when assessing what security mechanisms will be effective, our intuitions are not reliable. Even expert security professionals can draw the wrong conclusions. For instance, I've seen some competent and knowledgeable security folks argue that security images add some security because they force the attacker to work harder and implement a MITM attack. From this experiment, we can see that this argument does not hold water. Indeed, a very simple attack (clone the website and replace the security image with a notice saying the security image feature is currently down for maintenance) is extremely successful in practice.

    So, when the security of a system depends upon how users will behave, it is important to conduct rigorous experiments to evaluate how ordinary users will actually behave in real life. Our intuitions and "from-first-principles" analyses are not a substitute for data.

  • Third, ordinary users don't behave in the way security folks sometimes wish they would. Sometimes we talk about a protocol as "the user will do such-and-such, then the server will do thus-and-such, and if the user detects any deviation, the user will know he is under attack". But that's not how users think. Users don't have the suspicious mindset that security folks have, and security is not at the forefront of their mind. If something isn't quite right, a security expert might suspect she is under attack -- but that's usually not the first reaction of an ordinary user. Ordinary users are so used to the fact that web sites are flaky that their first reaction, upon seeing something odd or unusual, is often to shrug it off and assume that the Internet (or the web site) isn't quite working right at the moment. So, if your security mechanism relies upon users to become suspicious if certain cues are absent, it's probably on shaky grounds.

  • Fourth, it's not realistic to expect users to notice the absence of a security indicator, like a SSL lock icon. I'm sure we've all played "Simon Says" as a kid. The fun of the game is entirely that -- even when you know to look out for it -- it is easy to overlook the absence of the "Simon Says" cue. Now think about a SSL icon. Looking for the SSL icon is not the user's primary task, when performing online banking; instead, users typically just want to pay their bills and get the chore done so they can move on to something more useful. How much easier it is to fail to notice its absence, in those circumstances!

By the way, you might wonder how Bank of America (or other banks who use similar methods) have responded to these findings. After all, Bank of America emphasizes their SiteKey feature to users; so how have they reacted to the discovery that the security image feature is all but useless in practice? Answer: they haven't. They still use SiteKey. And if you ask them about their response, a typical response has been something of the form "well, our users really like and appreciate SiteKey". This tells you something: it tells you that SiteKey is largely a form of security theater. Apparently, SiteKey exists to make users feel good about the process, more than to actually protect against serious attacks.

References. For more details of the experiment I summarized above, read the following research paper:

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 2
    Keep in mind BOA is the same geniuses that tell their users, via e-mail, to log in to myfraudalert.com with their boa credentials when BOA detects something they think might be fraudulent. I don't think I've ever sent an angrier e-mail than I sent their customer service the first time I saw that e-mail. Yes, lets train our users to log in to unfamiliar sites with banking credentials to help stop fraud... that'll work! – AJ Henderson Jan 04 '13 at 15:39
  • +1 Your reasoning behind the points First, Second, Third, Fourth are awakening when read together with the experiment details. – gmaran23 May 22 '14 at 13:01
  • 1
    Excellent analogy with "Simon Says," I'm going to reuse that! I'm a little confused how the successful MITM (stripping off HTTPS) relates to something like SiteKey. Once the attacker is in a successful MITM situation, aren't a whole host of other security measures defeated as well? In other words, if you're assuming a successful MITM anyway, couldn't you say that e.g. strong passwords are not effective? After all, if you have a MITM which has defeated SSL, all passwords will be plaintext to the attacker, right? Great answer though! I'm just trying to understand your point better. – loneboat Apr 03 '15 at 22:18
  • @loneboat, yup! MITM attacks can defeat a bunch of other mechanisms as well. Note that in a phishing setting (which is what SiteKey was designed to protect against), a MITM attacker doesn't have to defeat SSL (unless the bank is advanced enough to use HSTS): the attacker can just send you to HTTP. – D.W. Apr 03 '15 at 22:37
  • While it may not be very effective with typical users, it also doesn't hurt anything and might help with the small minority of users who understand its purpose. Why should they get rid of it? – Casey Aug 01 '16 at 13:36
5

The answer is no. The reason why is that the scheme, usually called SiteKey, is vulnerable to a Man-in-the-Middle or MITM attack. Anything the site would show you, after you entered your username and any other "pre-authentication" information (such as the jurisdiction your account is in), can be retrieved from the real site by a phishing site; all the phishing site has to do is contact the real site, enter what you just entered, and it will receive the "secret" phrase or image from that site which it can then pass on to you. You then think the site is real and enter your password.

The scheme might be improved on somewhat, perhaps by setting an encrypted cookie containing uniquely identifying information about the device being used, that alters the site's front door in some user-definable way. That would be harder for a MITM to spoof, but still vulnerable, and the data is lost if the cookie expires or the user clears their cached cookies, making the real site unable to prove it's the real site using that method.

The best defense against phishing already exists; sign your site with a trusted X.509 certificate, providing third-party verification that you are who you say you are. Provided that the certificate is properly encrypted and hashed, it's practically impossible to spoof, and it can be used to establish an HTTPS session that turns the user's browser address green (providing the visual feedback that the user is in the right place).

KeithS
  • 6,758
  • 1
  • 22
  • 39
  • It isn't valid as a stand alone measure and only amounts to security through obscurity, but knowing the discussion that took place on the other question, I think this question is trying to see if it is beneficial as an additional step in a defense in depth approach, even if it does nothing but raise the technical bar. Perhaps a better way of asking is, does SiteKey have a net positive, net negative, or no effect on the security of a site. – AJ Henderson Jan 02 '13 at 20:34
  • To which the answer is, IMO, "no effect", because any additional bar-raising in forcing a MITM to impersonate the user against the real site is wiped out by the inherent added trust in the faulty system, leading them to disregard more technically-secure methods of server authentication. You (or your attacker) can tell a user that entering their password by submitting it in an e-mail is required in order to be "more secure", and *someone* will believe it. In this case, the inherent weakness is even harder to spot. – KeithS Jan 02 '13 at 20:42
  • Yes, a man-in-the-middle attack is possible, but that's working harder than you need to. As my answer illustrates, simpler attacks work too. And bad guys tend to be lazy; they're all about making money with the least possible effort. So, there are even easier ways to defeat SiteKey. – D.W. Jan 03 '13 at 04:47
  • Also, you seem to have missed that MITM attacks are slightly harder than your answer mentions. Because of the way that BOA uses persistent cookies and machine registration, if you try to mount a MITM attack, then you'll have to prompt the user to answer their security questions (the user has to go through the process for logging in from a new machine that they've never logged in from before). The attack probably *will* work despite that fact, but this is an additional step. – D.W. Jan 03 '13 at 04:48
  • 1
    *"The best defense against phishing already exists; sign your site with a trusted X.509 certificate ... t's practically impossible to spoof"* - There is strong evidence in the research literature that this is much less effective (in practice) than you might think. You might think that this would be a good defense, but the data shows otherwise. Many users do not notice the certificate. In particular, most users do not notice the absence of a lock icon or a green glow when on a phishing site. So, while I agree that using SSL sitewide with an EV cert is a good idea, it's not a silver bullet. – D.W. Jan 03 '13 at 04:52
4

The main risk is that such a mechanism is generally presented to the user as a way to know that the site is actually the site. In this regard, it provides no meaningful security and should not be explained to a user as such, since a phishing site could simply act as a client and scrape the information from the page and redisplay it. In fact, even without explanation, many users think of such a customization as proving that the site is the correct site do to explanations from other major sites that use it. This can lead to phishing attacks that pass a minimal bar of complexity to be more effective.

That said, with proper user education it may be a beneficial feature for phishing detection for the site administrators. It does raise the technical bar a little for a phishing attack and requires a more comprehensive attack to prevent the site using it from being able to tell where the phisher is coming from. That said, it is still possible for a man in the middle to pull the information from the legitimate host and with the abundance of bot net resources, it would be possible to request the image from a variety of IP addresses that do not match with the phishing site to avoid the targeted institution from getting any meaningful information about the attack (though it would burn one bot per detected phishing attempt).

Overall, I personally don't think that there are many situations were it nets out to a beneficial gain as proper user education can teach a user to check the SSL certificate which is a far better indicator of site authenticity. Knowledge Based Authentication (atleast in the SiteKey style implementation) only is really "useful" for uneducated users and it fails completely in that context.

AJ Henderson
  • 41,896
  • 5
  • 63
  • 110