Security Watch

Bank of America Takes on Phishers

To fight identity theft, the bank tries a two-factor authentication process which trades convenience for security.

• By Russ Cooper
• 06/27/2005

Privacy
In an attempt to reduce the threat of phishing attacks and subsequent identity theft, Bank of America plans to introduce two-factor, two-way authentication to about 13 million online banking customers. Unlike traditional two-factor authentication, the Bank of America's Sitekey approach uses a customer's PC or handheld device as the second-factor hardware device. Technology from security company Passmark takes a "fingerprint" of a customer's computer to verify identification, using HHTP headers, software configurations, hardware settings, IP address and geographic location.

This is great stuff, assuming you have no need to access your information from anywhere other than your standard machine in its typical location. If you're visiting grandma on Thanksgiving, or vacationing at Disney World and need a bit more cash from a cybercafé, forget it!

The solution sounds very similar to the Windows XP registration process, which may prompt you to re-register if you significantly change your hardware's configuration (if, for example, you upgrade your machine.)

Even though there are potential issues here, kudos to Bank of America for trying something; the financial services industry has been mostly sitting on its hands through the phishing plague.

Another avenue the company's exploring is the use of images. You select an image that will come with all the e-mail you get. If the e-mail doesn't contain the image you selected, you know it isn't from Bank of America.

While this is effective initially, if your system is compromised it becomes another piece of data being sought by the attackers, the way they look for passwords and such now. If they're able to determine which image you've picked, subsequent phishing attempts can (and probably will) include it, possibly fooling you into thinking they're legitimate.

The European Union apparently is going forward with a requirement that ISPs and the Telcos retain all their traffic information for an extended period of time. The information relates to events only; no content is kept.

But pressure on the EU caused a significant change to the length of time the data is kept, reducing it from seven years to just one. Of course, once a one-year provision's in place, it might be easy to increase that interval.

Hacking
Exploit code has been released for the Microsoft Windows COM arbitrary execution vulnerability patched by MS05-012.

This is a local-only exploit; the attacker must have a valid logon to exploit this vulnerability. It's highly unlikely that such an exploit will get incorporated in malware. The MS05-012 patch resolved two different vulnerabilities; this COM vulnerability was the less serious of the pair.

Hummingbird Connectivity contains two buffer overflow vulnerabilities that could allow a remote attacker to create a denial of service condition or execute arbitrary code.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Hummingbird, a UNIX emulator that's been around for some 15 years, runs on Windows platforms. A lot of UNIX administrators use it. To exploit the Windows platform running Hummingbird, the system must be configured to run either the FTP daemon, the line printer daemon (LPD daemon), or both. While it's certainly possible these daemons are in use on some Windows boxes, it's much more common to use the Hummingbird client-side tools to connect to actual UNIX daemons. Therefore, there aren't likely to be a large number of vulnerable systems.

Denial of Service
The New York Stock Exchange was closed early last Wednesday after a communications problem interrupted trading. The problem was in the Secure Financial Transaction Infrastructure network implemented after the Sept. 11 terrorist attacks to provide redundancy.

Governance
Israeli police announced last month that 18 people were arrested in connection with an industrial espionage scheme. Police say three of the country's largest private investigation firms had a Trojan program developed and delivered to competitors' systems through e-mail. The extent of the activity and damage isn't yet known, but the victimized companies lost competitive bids and thousands of customers as a result.