Financial Institutions’ Anti-Phishing Technology Inadequate

Security professionals have been constantly cautioning about some anti-cyber-fraud systems installed by several key financial institutions that might be calming net banking customers into a delusive feeling of security. On April 10, 2007, two university investigators issued a demo in an effort to establish that fact.

In order to substantiate their concept, two investigators from Indiana University have issued proof-of-concept software to show how phishers might pretend as the middleman to overcome SiteKey's defenses.

SiteKey permits banks to show an individualized picture of the client's choice immediately upon accessing their Internet banking account. If clients attempt to access from a public PC or one whose IP address the bank hasn't seen connected with the consumer's identification, SiteKey cues the customer to reply to one of many set "security queries."

Through a video demonstrating the modus operandi of phishing fraud, PhD student Christopher Soghoian and Indiana University lecturer Markus Jakobssen describe how the software would act against SiteKey execution by Bank of America (BoA).

"We exhort the client to provide his/her name and the state where he/she is domiciled. Our computer, and not the client's server, next directs that data to BoA. We convey the security question that BoA poses to the client, and later return back the client's reply to BoA. The bank responds by passing on the SiteKey icon and the header. Armed with that, we're able to satisfy the client that we're the genuine BoA site, and after that can urge the client for his/her access code, to gain access to BoA's website, and from this period onwards, we have total command over their Internet banking session. It's vital to observe that the client never directly links up with BoA, and also the bank never interact straight away with the client. Every individual thinks that we (the prospective phisher) are actually the legal other part of the login session."

The chief technology officer for RSA's Site to User Authentication team, Louie Gasparini, stated in a report released by washingtonpost.com on April 10, 2007, that the Indiana University investigators' illustration ignores several rear end applications that financial organizations utilize to discover fake dealings.

Related article: Finjan Brings Out Report on Web Malware

» SPAMfighter News - 4/19/2007