Chapter 37. Improving Authentication

Bank of America is the largest financial institution in the world. Lots of consumers, myself included, use it for online banking. It also cares a lot about security, and has been progressive in adopting technologies. But even though it has all sorts of great things going on security-wise, I don’t like authenticating to its site.

One technology Bank of America adopted long ago is SiteKey, which I think is pretty close to valueless. The basic idea is that when you register for an account, you choose from a large library of images (Figure 37-1). The image you choose is your SiteKey.

Choosing a SiteKey image
Figure 37-1. Choosing a SiteKey image

Then, when you go to log in later, here’s what happens:

  1. You type in your username.

  2. Bank of America shows the SiteKey image you selected before.

  3. If you agree it’s your SiteKey image, you type in your password.

What’s the point of the extra step? Bank of America wants you to recognize phishing sites, because it hopes phishing sites won’t know your SiteKey. I suppose it hopes that the bad guy will pick a picture at random, and you’ll know when you see the wrong one.

Maybe most people would notice and care if the bad guy selected the wrong image to show you, but, so what? There are two big problems here.

First, the bad guy can show you a phishing site that doesn’t have a SiteKey at all. Most people probably won’t notice, particularly because most ...

Get The Myths of Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.