Alliance and Leicester bank customers should beware, security online is a delicate thing so don't be fooled into a false sense of security. This goes too for other UK banking customers who may soon find their bank account compromised as a result of believing the hype.
What I am referring to is the use of RSA's security product for online banking known as PassMark which Alliance and Lecister is using, and other UK banks are considering. PassMark work on the principle that an extra layer of security is added to the login process for banking to protect against phishing attacks.
Essentially the user is given a secret image, and the bank will display this image after the first stage of login and request additional security details. The theory goes that if you inadvertently hit a fake site, this extra layer of security on the bank's side will stop the harvest of full security credential. As I say, that's the "theory".
However, the security researcher, Chris Soghoian (who some may remember from earlier posts), has provided a demonstration on his blog which details how this technology is open to a quite simple "man in the middle" attack. His research and posting has caused a little bit of a stir in the US, as the Bank of America uses the product.
I'm going to do my best to explain the problem simply. User receives phishing email directing them to fake bank site. User enters login details on fake bank site. Fake bank site sends login details to real bank site and receives web page data and image in return. Fake bank site renders page with genuine content from bank. User enters pass phrase for "secret" image. Scammers spend users money.
I'm not sure of the stage at which UK banks are considering taking on this technology, but what is for certain is that when a bank says you can be "assured that you are logging in to the genuine Alliance & Leicester Internet Banking website because we will identify our site to you using your unique image and phrase combination." it is not strictly accurate.
Whilst this scheme may have a role to play in protecting against online fraud and scamming, it is by no means the total solution and appears to be just a little bit flawed. My personal fear is that as with so many "security" products, it will be pitched to customers in ways that encourage a sense of security that is totally misplaced.
No comments:
Post a Comment