Why SiteKey Can't Save You [ PDF ]

This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been simplified, and some new material is presented. SiteKey shows web banking customers a "secret image" - a little icon of a mandolin or a coffee mug or something else - that only the customer and the bank are supposed to know. Customers of SiteKey-using banks are told that if their correct secret image appears on a purported bank web page, they can be sure that they are connected to the bank's real web site, and can safely enter passwords and other secrets.

However, criminals who can write simple server software, or who hire someone to write such software, can create fake bank web sites that look just like the real thing, and that display correct, "secret" SiteKey images to unsuspecting victims.

If you are an online banking customer, this means that even if you see your personal SiteKey image on a web page, the page may not be legitimate. When entering your password or answering a security question, picture or not, you could be giving away secrets to an overseas crime ring, rather than logging on to a bank account. A bank using SiteKey is no less secure than any other online bank - it's just not appreciably more secure than the others. Never let your guard down just because you see your correct, personal SiteKey image.