When I access my BofA account, I engage in information exchange in order to allow me access and prevent others from accessing my account. The information exchange is based on two forms of identification. BofA identifies itself through a Web page and URL that I recognize, and I identify myself through account number and password that they recognize. Only one of these two identifications is secure.
The BofA Web page and URL are not a secret, and so it’s easy to create a look-alike Web page with a look-like URL: http://www.Bank0fAmerica.com would fool a lot of people.
To lure people in, phishing site send e-mails with self-fulfilling prophecies. The e-mail reports illegal account access or some spurious activity you don’t remember making — those will take place if you actually click the link and login. Avoiding phishing is dead simple: never click on the link, no matter how legitimate it looks, always open your browser, go to that site, and take it from there.
Phishing works only because most people don’t know that they should do that.
SiteKey: Passwords for merchants
I applaud BofA for taking a first step to counteract phishing. Yesterday, when logging into my account I was asked to add SiteKey identification. SiteKey is a password that BofA uses to identify itself to me (reverse login?), so I can trust the Web site before providing my username and password.
To create a SiteKey identification I had to select an image from a bunch of stock photographs and pick a title. In the future, whenever I login to BofA, they’re going to display that image along with the title, so I’ll be able to tell that I’m accessing the genuine Web site. The chances of a phishing site picking the same image I picked, with the same title? Zero.
Almost a fool-proof system.
SiteKey’s insecurity?
The problem with phishing, as I noted above, is not the technology but human nature. It’s human nature that when you receive an e-mail about an unexpected withdrawl from your account, you’re going to panic, and click on the link. It’s effective, as is any method that relies on predictable human behavior. Which is exactly where SiteKey falls short.
I could always identify a site if it used a picture of me. Better yet, a picture of my girlfriend would be easy to recognize but harder to attack. Family members, pets, past events, favorite bands, are all good means of identification. Images that are personal and memorable are the best form of identification.
Not so with stock images. Daisys? Clay pots? Rock formations?
In the five minutes I played with SiteKey, I got to see three pictures of different rock formations in the desert. Whichever one I pick, if next week a phishing site decides to show me the other one, they could easily fool me. I’m just not going to remember that my rock formation faces the East, and be alarmed by a rock formation facing the South. Unmemorable images are just that … unmemorable.
In fact, it gets worse. Imagine having an image of roses to access Yahoo, bridge on a river to access Amazon, and a country house to access PayPal. Now, all you need to fool me into a phishing site is a stock photo from one of four common topics. The more sites that use SiteKey, the less effective it becomes. How many sites are needed before it becomes totally insecure?
Overall, SiteKey is a good idea, heading in the right direction, solving a serious security problem. But to work the identification needs to be personal and memorable, and stock photography doesn’t cut it.