Fraud Vulnerabilities in SiteKey Security at Bank of America [ PDF ]

The SiteKey anti-phishing system used by Bank of America and other financial institutions is susceptible to a real-time exploit in which an attacker can create a fake web page that includes a victim's correct, secret SiteKey image, text phrase and challenge questions. This paper discusses the customer-facing implementation of SiteKey as seen from a web browser, the reasons for its vulnerabilities, the risks posed by its design and by its persistent storage of a security-weakening token, and the means by which those vulnerabilities could be exploited.

Possible improvements are proposed, though the accompanying discussion argues that the single-ended authentication used by SiteKey and other systems is not a sufficient deterrent to phishing or other online frauds. Also included is a brief summary of a discussion between the author and representatives of Bank of America and RSA Security regarding the paper and the bank's overall approach to customer safety and security. This report does not provide source code or detailed instructions about carrying out the described attacks.