PassMark's SiteKey - Answering the Wrong Question
by Trevor Bauknight
Published on this site: July 26th, 2005 - See
more articles from this month
In my article "Spear-Phishing - New Angles On An Old
I wrote about a variation on "traditional" e-mail
phishing that has proved to be more effective than random
casting of stink-bait into a vast pool of random e-mail addresses.
The increase in effectiveness is the result of more focused
targeting of potential victims through the use of real, usually
stolen, corporate documents and so on that make the bait seem
more legitimate to a much smaller group of recipients. This
week, we take a look at PassMark's SiteKey, the first solution
to be adopted by a major institution in its effort to combat
The Charlotte-based Bank of America is in the process of
rolling out its plans to adopt the PassMark system in an effort
to secure its online communications with its 13 million customers
across the country. The Bank should be applauded for implementing
such extensive changes to its online security model in spite
of the fact that phishing is not yet, in and of itself, costing
banks a great deal of money.
What it is costing the bank, however, is online-banking customers.
ConsumerAffairs.com reported late last month (http://www.consumeraffairs.com/news04/2005/gartner.html)
on a Gartner survey that indicated that 14% of those who had
banked online had stopped because of security concerns, and
30% had altered their usage. For financial services companies
like Bank of America that seem intent on removing the element
of human contact once and for all from customer relations,
that lack of confidence has to be disturbing.
As the practice of phishing becomes more and more sophisticated,
so will the effort to combat it; and you can be sure that
effort will be fraught with nominal solutions and opportunistic
hand-waving that provide little more than a false sense of
security. And while PassMark's system is better than nothing,
it fails to address the roots of the problem and may give
consumers the mistaken notion that the problem is someone
else's to solve.
What Is SiteKey?
PassMark calls its system a "Two-Factor Two-Way Authentication"(TM)
system. A two-factor system, according to the PassMark website,
is one that relies on two identifying bits of information
to authenticate a transaction. One factor might be a traditional
password, and the second (the problematic one, apparently),
might be a key fob or even some sort of biometric reader,
items which are "not practical for the consumer market
with millions of users." A two-way authentication system
provides the capability not only for you to prove to the bank
you are who you claim to be, but also for the bank to prove
to you that it is really the bank sending you that e-mail
or presenting you that website page.
To implement the two-factor system, PassMark bypasses traditional
second factors like hardware devices that customers are apparently
too dumb to maintain in their possession. "Even if you
give them away for free," the PassMark website chides,
"many users will forget them or lose them." Instead,
the company takes a look at your computer and creates a unique
"fingerprint" of the machine, consisting of things
like HTTP headers, the IP-address, software configurations
and even its geographic location (based on IP-address geomapping).
It then has something to go by the next time you visit the site.
For two-way authentication, SiteKey assigns a secret image
known, ostensibly, only to the customer and to the institution.
Customers logging into the company's website will see the
image and recognize it as a marker that the site is legitimate,
and outgoing e-mail from the company to the customer will
also carry the image to mark legitimate e-mail.
Sounds Great. What's Wrong With It?
The SiteKey system fails, according to IT Security Architect
Doug Ross (http://directorblue.blogspot.com/2005/06/making-phishers-
solve-captcha-problem.html), to address the fundamental
problem of phishing because it leaves the customer susceptible
to the classic "Man in the Middle" false-storefront
attack. Since there's no way to distinguish the customer's
virgin computer from a phisherperson's "malicious, zombie
PC", according to Ross, "the zombie PC could present
a false BofA store-front to the victim and proxy login information
from the user to the bank and any resulting pages and images
from the bank to the victim."
If Bank of America doesn't recognize the computer you're
on, it will ask you one of your "secret questions"
and a correct answer will display the SiteKey. Reasons it
might not recognize your computer include, but aren't limited
to, the possibility that you're on a different computer, that
you're behind a firewall or that you don't allow it to place
the secure cookie.
Even if SiteKey does recognize your computer, there's no
indication that you're the one using your computer or that
it is even in your possession. People lose laptops, too, in
a variety of ways.
In addition, and this is probably the most worrying caveat,
given the recent rash of massive security breaches at large
storehouses of personal information, the SiteKey approach
still relies on the storage of images and so on in your personal
records on the merchant's database. Compromise of this data
would leave you just as vulnerable as you'd be if your login
and password were obtained.
Toward A Real Solution
The PassMark system is better than a standard login/password
authentication scheme when it comes to securing the communication
between you and the institution. However, it is Bank of America's
(and, to be fair, most other such institutions') efforts to
cut costs by removing human contact almost entirely from the
customer service equation that has made phishing more and
more lucrative by driving more and more customers to banking
Still, there are ways to improve this process. Ross nails
it in a sidebar relating to the Bank of America website: "isn't
it odd that when you go the Bank of America site, you immediately
note that the page is presented in cleartext ("http://"),
not SSL ("https://). The first step to combat phishers
is to provide an SSL connection first time, every time.
Customers need to get used to expecting a secure connection
on every BofA page."
Here at Cafe ID (http://www.cafeid.com),
we agree wholeheartedly. If you have a secure certificate,
actually using it will go a long way toward securing transactions
on your site, certainly further than putting up a cute picture
of a dog and asking the customer to take that as evidence
of a site's legitimacy. Certificate authentication remains
the best way for the company to prove its identity to the
customer. Besides, there's no downside to securing your website,
particularly for companies dealing in online transactions
With online banking, what customers gain in convenience and
they lose in security. It may be time to consider stepping
back a bit from technology's bleeding edge and just go down
to the bank. But the convenience of online banking and bill-paying
cannot be ignored. Customers want this capability, and they
expect banks to work out a solution. Unfortunately, a real
solution to the problem of phishing requires more than clever
challenge-response systems. It requires, first and foremost,
that the end-users take control of their online security rather
than leaving it up to a third party.
How do you do this? Pay attention when you're online. No
reputable companies are going to attempt to conduct important
business via e-mail, and so answering e-mails alerting you
to some problem with your account is generally a bad idea.
Proceed straight to the company's website by typing it into
your browser bar, and if you don't see a secure connection
indicator in your browser, don't enter personal information
The best way to deal with a bank used to be to establish
a solid personal relationships with its human employees; unfortunately,
however, this is becoming an increasingly unworkable option.
I suppose we can hang up the idea of going back to the teller
window; but until better controls are in place on both the
way personal information is communicated and the way it is
stored, suspicion will remain the most effective way of keeping
yourself protected against phishing.
Trevor Bauknight is a web designer and writer with
over 15 years of experience on the Internet. He specializes
in the creation and maintenance of business and personal identity
online and can be reached at firstname.lastname@example.org.
Stop by http://www.cafeid.com
for a free tryout of the revolutionary SiteBuildingSystem
and check out our Flash-based website and IMAP e-mail hosting
solutions, complete with live support.