- SiteKey
SiteKey is a web-based security system that provides one type of
mutual authentication betweenend user s and websites. Its primary purpose is to deterphishing .SiteKey has been deployed by several large financial institutions since 2006, including
Bank of America andThe Vanguard Group .The product is owned by
RSA Data Security which in 2006 acquired its original maker, Passmark Security.How it works
SiteKey uses the following
challenge-response technique:
#User "identifies" (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.
#Site authenticates itself to the user by displaying an image and accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is aphishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.
#User authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.Weaknesses
Under ideal circumstances, SiteKey stands to prevent users from disclosing their login credentials, which can lead to exposure of
personally identifying information , financial loss andidentity theft . However it offers no immunity against some of the most common phishing scenarios, among them [ [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators] ] :* It compromises user privacy by requiring users to disclose confidential personal information in response to challenge questions.
* Users are prone to provide their login credentials in the complete absence of a SiteKey dialogue
* It is susceptible to
man-in-the-middle attack * It allows bulk harvesting of usernames by
phishing site sIt also raises questions of scalability on behalf of users. Someone associated with "N" different websites that use SiteKey must remember "N" different 4-
tuple s of information: "(site, username, phrase, password)".Notes
ee also
*
Bank of America controversies External links
* [http://www.ffiec.gov/ffiecinfobase/resources/info_sec/2006/occ-bul_2005-35.pdf Authentication in an Online Banking Environment]
* [http://www.bankofamerica.com/privacy/sitekey/ SiteKey at Bank of America]
* [http://www.phishcops.com/sitekeyMITM.asp SiteKey Man-in-the-Middle Demonstration]
* [http://cr-labs.com/publications/SiteKey-20060718.pdf Fraud Vulnerabilities in SiteKey Security at Bank of America]
Wikimedia Foundation. 2010.