Monday, February 5, 2007

Security: Great Ideas with Bad Implementation (BoA SiteKey)

Recently, I came across a New York Times article on a study conducted by Harvard and MIT researchers about the SiteKey security technology implemented by the Bank of America.

The key idea of the technology is that human beings remember pictures and images much better than text. As a result, the site complements the use of text based passwords (instead of eliminating them) with a configurable image identifying the bank account. The users of the bank account can choose an image from thousands of images and later make sure that when logging into their bank account - they enter their password only upon seeing the right image on the login page. The selection and delivery of the image happens over SSL (secured encrypted channel) and is account specific, making it hard for fraudulent sites to randomly guess the right image from the huge list for each account.

Great Idea. But does is actually work ?

Read the details about the Harvard/MIT joint study here -
Study Finds Web Anti-fraud Measure Ineffective

During the study, people simply ignored the image and continued to log into the (fraudulent) site. The study concludes that the idea of such image based authentication is flawed, and that such schemes are completely ineffective. This is not a valid conclusion.

The idea is great, but the implementation sucks. The login page of Bank of America is very badly designed from security perspective. The page is so cluttered with information (sometimes - ads, text and images) that the Harvard/MIT researchers were easily able to create a matching login page with missing SiteKey images, and people were not able to spot this critical difference.

The solution is to completely simplify the login page (look at Google to understand what is simplicity) so that users associate entering the passcode with the SiteKey image, and no text or graphics around the login page can distract their attention into believing anything otherwise while entering their passcode.

Conclusion: The implementation of a security solution is as important as the idea itself.


No comments:

Post a Comment