Some banks claim their sites are phishing-proof

Some South African banks are claiming their sites are secure, despite the fact that folks continue to lose money through phishing exploits.

For those who just tuned in, phishing is a process whereby you get an email (in this case, from a financial institution), asking you to log into your account to clean up some administrative issue. You click the link in the email, and are immediately directed to a fake website that looks like your bank’s. As you enter your username and password, a thief is getting it instead of the bank’s systems, and the thief then uses it to log into the real bank site and empty your account.

Note that this is a single step process, and requires no additional validation. The only bank I have seen of late that has figured this out is Bank of America. They require you enter a valid account number and the state the account is located in. You are then redirected to another entry page, where you are presented with an image and a keyword (both preselected by you), at which time you enter your password and proceed. That is a multi-step process, and one that would be relatively hard to exploit via a phishing lure, unless you aren’t paying attention to the image and keyword. I might also suggest that Bank of America require its customers to change said image and keyword (or at least re-validate that data) every sixty days or so, to keep customers on their toes.

Nevertheless, this is the only bank I’ve seen doing this (and I’ve seen quite a few bank front ends). Kudos to B of A – to rest, well good luck with those claims.

PS: Spamroll was not paid to shill B of A, and Michael doesn’t own any Bank of America stock either.


It seems Ed Falk, whose comment below outlined the fact that even two-factor authentication was subject to man-in-the-middle attacks, was entirely on target (and a quite timely in his comment as well). Phishers have thwarted the process using exactly that.

Note that the Citibank system used a physical token that generates additional passwords (which recycle ever minute). I’m not fond of such devices, but the fact that the phishing site described can also return error messages, it could be used to catch additional server-side authentication measures as well. The site in question has already been shut down, something that likely happened as a result of someone monitoring those returned messages to Russia.

***UPDATE 2***

Discussion on this at Bruce Schneier’s blog.


Rui Curado says:

I don’t know how this works in other countries, but at least in my bank in Portugal, they send me a simple “matrix” card with 2-digit codes that I must enter to authorize a transaction. Even if the phishers get my login details, they will only be able to check my balance and operations history…

How does this work for other countries?

Ed Falk says:

My credit union does the same thing. I agree that it may make more work for the phisher, but that’s as far as it goes. A simple man-in-the-middle attack would work here.

For readers, “man-in-the-middle” means someone getting in the way of your encrypted communications with the bank. Certainly a threat (even with SSL), but it is certainly not a passive activity for malcreants like phishing can be – it is more active eavesdropping versus waiting for emails with usernames and passwords to show up. (h/t to Ed at The Spam Diaries for pointing this out).

Rui Curado says:

Ed, I am not so sure if a man-in-the-middle attack would work in my case. The card the bank sends me has something like 80 different codes. When I perform a transaction, the webserver asks me for a specific code, like “Type in the code located at B7”. Next transaction will ask a different code. Even with eavesdropping, you would only get the last code I used, not the next one.

It is a very simple concept IMHO and I wonder why not every bank uses this method…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.