Bank of America Takes on Phishers
To fight identity theft, the bank tries a two-factor authentication process which trades convenience for security.
In an attempt to reduce the threat of phishing attacks and subsequent identity
theft, Bank of America
plans to introduce two-factor, two-way authentication
to about 13 million online banking customers. Unlike traditional two-factor
authentication, the Bank of America's Sitekey
approach uses a customer's
PC or handheld device as the second-factor hardware device. Technology from
security company Passmark takes a "fingerprint" of a customer's computer
to verify identification, using HHTP headers, software configurations, hardware
settings, IP address and geographic location.
This is great stuff, assuming you have no need to access your information from
anywhere other than your standard machine in its typical location. If you're
visiting grandma on Thanksgiving, or vacationing at Disney World and need a
bit more cash from a cybercafé, forget it!
The solution sounds very similar to the Windows XP registration process, which
may prompt you to re-register if you significantly change your hardware's configuration
(if, for example, you upgrade your machine.)
Even though there are potential issues here, kudos to Bank of America for trying
something; the financial services industry has been mostly sitting on its hands
through the phishing plague.
Another avenue the company's exploring is the use of images. You select an
image that will come with all the e-mail you get. If the e-mail doesn't contain
the image you selected, you know it isn't from Bank of America.
While this is effective initially, if your system is compromised it becomes
another piece of data being sought by the attackers, the way they look for passwords
and such now. If they're able to determine which image you've picked, subsequent
phishing attempts can (and probably will) include it, possibly fooling you into
thinking they're legitimate.
The European Union apparently is going forward with a requirement that
ISPs and the Telcos retain all their traffic information for an extended period
of time. The information relates to events only; no content is kept.
But pressure on the EU caused a significant change to the length of time the
data is kept, reducing it from seven years to just one. Of course, once a one-year
provision's in place, it might be easy to increase that interval.
Exploit code has been released for the Microsoft Windows COM arbitrary
execution vulnerability patched by MS05-012.
This is a local-only exploit; the attacker must have a valid logon to exploit
this vulnerability. It's highly unlikely that such an exploit will get incorporated
in malware. The MS05-012 patch resolved two different vulnerabilities; this
COM vulnerability was the less serious of the pair.
Hummingbird Connectivity contains two buffer overflow vulnerabilities
that could allow a remote attacker to create a denial of service condition or
execute arbitrary code.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Hummingbird, a UNIX emulator that's been around for some 15 years, runs on
Windows platforms. A lot of UNIX administrators use it. To exploit the Windows
platform running Hummingbird, the system must be configured to run either the
FTP daemon, the line printer daemon (LPD daemon), or both. While it's certainly
possible these daemons are in use on some Windows boxes, it's much more common
to use the Hummingbird client-side tools to connect to actual UNIX daemons.
Therefore, there aren't likely to be a large number of vulnerable systems.
Denial of Service
The New York Stock Exchange was closed early last Wednesday after a communications
problem interrupted trading. The problem was in the Secure Financial Transaction
Infrastructure network implemented after the Sept. 11 terrorist attacks to provide
Israeli police announced last month that 18 people were arrested in connection
with an industrial espionage scheme. Police say three of the country's largest
private investigation firms had a Trojan program developed and delivered to
competitors' systems through e-mail. The extent of the activity and damage isn't
yet known, but the victimized companies lost competitive bids and thousands
of customers as a result.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.