If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Is your bank as secure as you think it is? Does that SiteKey really do anything for you?

According to Chris Soghoian, a graduate student in the school of Informatics at Indiana University, your bank is not nearly as secure as they're telling you.

The problem is that all of these schemes–every single one of them–is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme u ed by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey.

Soghoian provides a video of the SiteKey hacking in progress on his site. Click here to see it.

It is discouraging to see him emulate Bank of America's SiteKey system, especially when BofA uses this to guarantee customers they are on the official site.

But as a safe online banker, you need to make sure that you are on the right site … so CHECK THE URL! If it isn't the right URL, don't provide your information no matter what.