Some South African banks are claiming their sites are secure, despite the fact that folks continue to lose money through phishing exploits.
For those who just tuned in, phishing is a process whereby you get an email (in this case, from a financial institution), asking you to log into your account to clean up some administrative issue. You click the link in the email, and are immediately directed to a fake website that looks like your bank’s. As you enter your username and password, a thief is getting it instead of the bank’s systems, and the thief then uses it to log into the real bank site and empty your account.
Note that this is a single step process, and requires no additional validation. The only bank I have seen of late that has figured this out is Bank of America. They require you enter a valid account number and the state the account is located in. You are then redirected to another entry page, where you are presented with an image and a keyword (both preselected by you), at which time you enter your password and proceed. That is a multi-step process, and one that would be relatively hard to exploit via a phishing lure, unless you aren’t paying attention to the image and keyword. I might also suggest that Bank of America require its customers to change said image and keyword (or at least re-validate that data) every sixty days or so, to keep customers on their toes.
Nevertheless, this is the only bank I’ve seen doing this (and I’ve seen quite a few bank front ends). Kudos to B of A – to rest, well good luck with those claims.
PS: Spamroll was not paid to shill B of A, and Michael doesn’t own any Bank of America stock either.
It seems Ed Falk, whose comment below outlined the fact that even two-factor authentication was subject to man-in-the-middle attacks, was entirely on target (and a quite timely in his comment as well). Phishers have thwarted the process using exactly that.
Note that the Citibank system used a physical token that generates additional passwords (which recycle ever minute). I’m not fond of such devices, but the fact that the phishing site described can also return error messages, it could be used to catch additional server-side authentication measures as well. The site in question has already been shut down, something that likely happened as a result of someone monitoring those returned messages to Russia.
Discussion on this at Bruce Schneier’s blog.