SiteKey

SiteKey

SiteKey is a web-based security system that provides one type of mutual authentication between end users and websites. Its primary purpose is to deter phishing.

SiteKey has been deployed by several large financial institutions since 2006, including Bank of America and The Vanguard Group.

The product is owned by RSA Data Security which in 2006 acquired its original maker, Passmark Security.

How it works

SiteKey uses the following challenge-response technique:
#User "identifies" (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.
#Site authenticates itself to the user by displaying an image and accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a phishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.
#User authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.

Weaknesses

Under ideal circumstances, SiteKey stands to prevent users from disclosing their login credentials, which can lead to exposure of personally identifying information, financial loss and identity theft. However it offers no immunity against some of the most common phishing scenarios, among them [ [http://www.usablesecurity.org/emperor/ The Emperor's New Security Indicators] ] :

* It compromises user privacy by requiring users to disclose confidential personal information in response to challenge questions.

* Users are prone to provide their login credentials in the complete absence of a SiteKey dialogue

* It is susceptible to man-in-the-middle attack

* It allows bulk harvesting of usernames by phishing sites

It also raises questions of scalability on behalf of users. Someone associated with "N" different websites that use SiteKey must remember "N" different 4-tuples of information: "(site, username, phrase, password)".

Notes

ee also

* Bank of America controversies

External links

* [http://www.ffiec.gov/ffiecinfobase/resources/info_sec/2006/occ-bul_2005-35.pdf Authentication in an Online Banking Environment]
* [http://www.bankofamerica.com/privacy/sitekey/ SiteKey at Bank of America]
* [http://www.phishcops.com/sitekeyMITM.asp SiteKey Man-in-the-Middle Demonstration]
* [http://cr-labs.com/publications/SiteKey-20060718.pdf Fraud Vulnerabilities in SiteKey Security at Bank of America]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Bank of America controversies — Bank of America has been involved in several controversies and received a wide variety of public criticism. This page details some of the more notable and public issues.Criticism of policiesAccount closures without warningWhen opening a deposit… …   Wikipedia

  • Phishing — In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic… …   Wikipedia

  • Findon, Aberdeenshire — Findon or Finnan (Gaelic: Fionndan ), Scotland is a fishing village eight miles south of Aberdeen, [United Kingdom Ordnance Survey Map Landranger 45, Stonehaven and Banchory, 1:50,000 scale, 2004] famous for originating the smoked haddock known… …   Wikipedia

  • Countersign (military) — In military terminology, a countersign is a sign, word, or any other signal previously agreed upon and required to be exchanged between a sentry or guard and anybody approaching his or her post. The term usually encompasses both the sign given by …   Wikipedia

  • Asham Wood — Infobox SSSI name=Asham Wood aos=Somerset interest=Biological gridref=gbmappingsmall|ST705460 area=140.6 hectares (347.5 acres) notifydate=1963 http://www.natureonthemap.org.uk/map.aspx? ] Asham Wood (gbmapping|ST705460) is a 140.6 hectare (347.5 …   Wikipedia

  • Llyn Eiddwen — is a site of special scientific interest near Trefenter in Ceredigion, West Wales. This natural lake provides an environment to preserve rare local water plantlife and seasonal animals. It is owned and managed by the Wildlife Trust of South and… …   Wikipedia

  • Фишинг — Пример фишингового письма, отправленного от почтового сервиса, запрашивающего «подтверждение авторизации» Фишинг (англ. phishing, от fishing  рыбная ловля, выуживание[1])  вид …   Википедия

  • Michele Christiansen — Michele M. Christiansen Associate Justice, Utah Court of Appeals Incumbent Assumed office June 2010 Nominated by Jon Huntsman Jr. Michele Mladejovsky Christiansen is an American law …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”