Skip to main content


Adam has pointed out a friend's new blog who has a set of interesting new blog posts, most about security and some about authentication and one in particular about Passmark's Sitekey - now deployed by Bank of America - and the issues he has with it. They fall into two categories: user interaction predictions and security

So sometimes B-of-A will ask the questions and sometimes it won't, depending upon the cookies. Sometimes it shows the image right away, and sometimes it first asks the challenge questions. Somehow, the customer is supposed to understand all this, and the next time he or she is phished, figure out that something important (the image) is missing. So there's a lot of set up, and some rather generous predictions around customer sophistication.

The bigger problem, though, is that Sitekey utterly fails to defeat phishing or malware attacks. What stops phishers from simply logging into the bank at the same time that the victim is logged into the spoof site? The phishers pass the challenge questions from the bank to the customer, and shuttle the responses right back. The bank then exposes the trusted image to the phisher, which uses it to prompt the customer for the password.

Further, he offers the following:

Until banks adopt all 3 of the following (easy and inexpensive) authentication methodologies, I'll continue to bank offline:

1. Authenticate the transaction
Don't let slipstreamers take over my validly opened online session only to execute unauthorized transactions.

2. Escalated Response
If my bank profiles transaction risk and escalates authentication based on that risk, I won't have to deal with inconvenient security mechanisms except when it really matters. And when it matters (e.g. cash transfers), I will be pleased to see the escalated security.

3. Multi-channel authentication
This method involves a computer that calls the customer on a separate network (POTS, cell phone, SMS) to prompt the customer for an authorization code. Unlike multi-factor authentication, multi-channel authentication is not defeatable by slipstreamers and man-in-the-middle attacks. It's also much less expensive, and can cheaply layer on biometric security by analyzing the voice pattern of the person at the other end of the phone line.

So now you see why I like him: WiKID is a multi-channel authentication system that can authenticate transactions as well as sessions. The key difference is that unlike a POTS dialer or SMS, WiKID is cryptographically secure.

Currently unrated

Recent Posts







RSS / Atom