False security: Is Bank of America lying to its customers?

A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.

Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?

Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a keychain with a digital display that spits out a new random number every 60 seconds). Others, especially those banks with less profitable customers, have opted to instead adopt software solutions. The advantage of this, of course, being that they don't have to spend any money to send widgets out to their customers.

BofA's SiteKey two-factor authentication system is essentially a rebadged version of the PassMark system sold by RSA/EMC. Other banks that have licensed the technology include Pentagon Federal Credit Union, Vanguard, and U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems select a graphical image and phrase, which are then displayed to them every time they login to the Bank of America Web site from "trusted" computer (that is, one that BofA has seen before).

According to Bank of America's own numbers (PDF), over 21 million customers use their online banking system. BofA's Web site promises customers that the SiteKey system will keep them safe, stating: "You know it's really us--when you see your SiteKey, you can be certain you're at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."

The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey. Based on advice from lawyers, we did not release an easy-to-use version of the system, nor were we able to provide access to the demo to others online. To provide the factual support for our claims and to demonstrate how relatively easy such an attack would be to perform, we released a screen-captured video of the demo, as well as source code that would allow an advanced user to download the SiteKey image from any remote, untrusted machine.

Our demo got quite a bit of press attention, with mentions in The Register, ZDNet and The Washington Post. One of the main points we tried to make when we put our demo online is that Bank of America is promising its customers something impossible. By telling users that the SiteKey image guarantees they are visiting BofA's Web site--and not a phishing page--Bank of America is giving its users a false sense of security. Were BofA to instead acknowledge the risks of phishing and man-in-the-middle attacks, users might be more cautious when logging into suspect Web sites.

Shortly after we released the demo, Louie Gasparini, chief technology officer for RSA's Site to User Authentication group was interviewed by Brian Krebs at The Washington Post. He said that our attack demo "overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions."

"What they're critiquing is just the most visible piece to this technology," Gasparini added. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."

Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of America with whom I chatted on Tuesday. Reiss made it a point to mention that SiteKey is just one part of BofA's multipronged approach to security. However, she declined to comment further when specifically asked if the text on the SiteKey page is misleading, or if Bank of America has a responsibility to be honest with its users about the risks of man-in-the-middle attacks.

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

Watch our video of the man-in-the-middle attack against the SiteKey system, read Bank of America's promises of safety and security on its Web site, and decide for yourself.