Fw: Study Finds Security Flaws on Web Sites of Major Banks - New York Times (http://www.nytimes.com/2007/02/05/technology/05secure.html?_r=1&th=&oref=slogin&emc=th&pagewanted=print)

February 5, 2007
Study Finds Security Flaws on Web Sites of Major Banks 
By BRAD STONE
Internet security experts have long known that simple passwords do not 
fully defend online bank accounts from determined fraud artists. Now a 
study suggests that a popular secondary security measure provides little 
additional protection.
The study, produced jointly by researchers at Harvard and the 
Massachusetts Institute of Technology, looked at a technology called 
site-authentication images. In the system, currently used by financial 
institutions like Bank of America, ING Direct and Vanguard, online banking 
cu! stomers are asked to select an image, like a dog or chess piece, that 
they will see every time they log in to their account.
The idea is that if customers do not see their image, they could be at a 
fraudulent Web site, dummied up to look like their bank?s, and should not 
enter their passwords.
The Harvard and M.I.T. researchers tested that hypothesis. In October, 
they brought 67 Bank of America customers in the Boston area into a 
controlled environment and asked them to conduct routine online banking 
activities, like looking up account balances. But the researchers had 
secretly withdrawn the images.
Of 60 participants who got that far into the study and whose results could 
be verified, 58 entered passwords anyway. Only two chose not to log on, 
citing security concerns.
?The premise is that site-authentication images increase security because 
customers will not enter their passwords if they do not see the correct 
image,? said Stuart Schechter, a computer scientist at the M.I.T. Lincoln 
Laboratory. ?From the study we learned that the premise is right less than 
10 percent of the time.? 
He added: ?If a bank were to ask me if they should deploy it, I would say 
no, wait for something better,? he said.
The system has some high-power supporters in the financial services world, 
many trying to comply with new online banking regulations. In 2005, the 
Federal Financial Institutions Examination Council, an interagency body of 
federal banking regulators, determined that passwords alone did not 
effectively thwart intruders like identity thieves. 
It issued new guidelines, asking financial Web sites to find better ways 
for banks and customers to identify each other online. January 2007 was 
set as the compliance date, though the council has yet to begin enforcing 
the mandate.
Banks immediately knew what they did not want to do: ask customers to 
download new security software, or carry around hardware devices that feed 
them PIN codes they can use to authenticate their identities. Both 
solutions would add an extra layer of security but, the banks believed, 
detract from the convenience of online banking.
The image system, introduced in 2004 by a Silicon Valley firm called 
PassMark Security, offered banks a pain-free addition to their security 
arsenals. Bank of America was among the first to adopt it, in June 2005, 
under the brand name SiteKey, asking its 21 million Web site users to 
select an image from thousands of possible choices and to choose a unique 
phrase they would see every time they logged in.
SiteKey ?gives our customers a fairly easy way of authenticating the Bank 
of America Web site,? said Sanjay Gupta, an e-commerce executive at the 
bank. ?It was very well received.?
The Harvard and M.I.T. researchers, however, found that most online 
banking customers did not notice when the SiteKey images were absent. When 
respondents logged in during the study, they saw a site maintenance 
message on the screen where their image and phrases should have been 
pictured. The error message also had a conspicuous spelling mistake, 
further suggesting something fishy,.
Mr. Gupta of Bank of America said he was not troubled by the results of 
the survey, and stressed that SiteKey had made the bank?s Web site more 
secure. He also said that the system was only a single part of a larger 
security blanket. ?It?s not like we?re betting the bank on SiteKey,? he 
said.
Most financial institutions, like Bank of America, have other ways to tell 
if a customer is legitimate. The banks often drop a small software 
program, called a cookie, onto a user?s PC to associate the computer with 
the customer. If the customer logs in from another machine, he may be 
asked personal questions, like his mother?s maiden name.
Rachna Dhamija, the Harvard researcher who conducted the study, points out 
that swindlers can use their dummy Web sites to ask customers those 
personal questions. She said that the study demonstrated that 
site-authentication images are fundamentally flawed and, worse, might 
actually detract from security by giving users a false sense of 
confidence. 
RSA Security, the company that bought PassMark last year, ?has a lot of 
great data on how SiteKey instills trust and confidence and good feelings 
in their customers,? Ms. Dhamija said. ?Ultimately that might be why they 
adopted it. Sometimes the appearance of security is more important than 
security itself.?

Received on Monday, 5 February 2007 18:32:46 UTC