

Bank of America SiteKey man-in-the-middle attack demonstration - DavidSJ
http://www.phishcops.com/sitekeyMITM.asp

======
ggrot
The argument the demonstrators make is that the SiteKey protection is useless.
I would counter that this is not the case. Their demonstration does illustrate
that the man in the middle attack can work for a small number of phishing
attacks.

The attacker gives up something in order to pull the man in the middle attack
off that they wouldn't otherwise need to. The server that is running the
attack has to actually make an http request to Bank of America in real-time.
It need not be that exact server, but some server has to do this.

If it is a real web server, Bank of America could do interesting things if
they are suspicious of the login, for example probing port 80 (in real-time or
asynchronously). Or, keeping a database of ip addresses that are known to be
ISPs versus datacenters (presumably the demonstration was done from an ISP ip
address).

If the attacker somehow re-routes the request through a real ISP in real-time,
it becomes easier to track the attacker in the real (legal) world. Now all of
the sudden the ISP knows the address of the attacker, can track down the
machine doing the attacking, etc.

In either case, Bank of America can detect the attack very quickly because of
a large number of unique connections from the same IP address.

If the attacker goes one step further and re-routes the sitekey requests
through a botnet, then bank of america loses alot of defenses. The botnet is
on real machines on real ISPs and always a different IP address. But this
makes it much harder for the attacker to pull off because they have to set up
a botnet.

~~~
wmf
The referrer might also give the phishers away, although maybe you could
combine the MITM with clickjacking so that the referrer would be correct.

------
mattmaroon
Ha, I sent three different online banks emails about this crap over a year
ago, telling them that their stupid images and placing logins and passwords on
separate pages were nothing but annoying.

Unfortunately, even if they watch this video demonstration, they will do
nothing about it. Those images exist only to make customers feel more secure,
because we've all come to equate security with annoyance.

------
grhino
While this is a good demonstration of a phishing, it's not very technically
challenging.

Approaches to preventing phishing attacks relies on SSL certificates, phishing
filters, and browsers making it hard for inexperienced users to make silly
mistakes.

------
mseebach
Why not client certificates? I'm pretty sure that's what my bank uses, they've
got a java-applet that talks to a small binary file in my homedrive. The
technology is simple (to implement) and well proven, guarantees security end-
to-end.

What is BoA trying to accomplish? Easierness?

------
mstefff
pretty cool..

just highlights how incredibly stupid 99% of internet users really are though
- to not even check the address of the site they are on.

~~~
tomsaffell
it isn't about stupidity. if we can all use the latest technologies when we're
60 years old w/o getting a little confused then i'll be impressed, and we're
not stupid.

