8

My question is regarding the online banking application of a large credit card organisation. The login process for this application works as follows:

  • User visits the homepage of the bank.
  • User enters their username and clicks login.
  • If the username exists they are presented with their unique image and phrase, chosen by the user when they sign up to the online banking application. If the image and phrase are as expected, the user enters their password.
  • If correct, the user is authenticated and has full access to their account, including viewing statements, paying bills, increasing/decreasing credit limits, etc.

The problem I find here is that if one knows the username of a user, they can enter this into the first stage and immediately be presented with the image/phrase combination for that account. An attacker could then easily use this information in a phishing attack against that user.

My question is:

Isn't this a large security flaw?

Addition: In response to the first answer I should add that upon providing a username which does not exist, the application responds with a "Please check the username provided" message.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
mckiethanks
  • 556
  • 3
  • 12
  • 3
    "If the username exists then show image" - I think here you've made an assumption that I have personally never seen. Usually it is the case that "if the username and password is correct then show image" – Andy Smith Dec 11 '12 at 12:21
  • 1
    That is how the system works though. I know it sounds ridiculous. To be presented with my image/phrase combination all I have to provide is my username. – mckiethanks Dec 11 '12 at 12:25
  • 1
    I have edited to make the question more appropriate here. I think I agree with Andy here- I haven't seen a banking app divulge info like this for years. – Rory Alsop Dec 11 '12 at 12:25
  • 2
    @AndySmith The behavior described in the question is in use by at least one major US mortgage banker: first you enter your user name, then the unique image and phrase are shown, and finally enter your password. Still works that way as of this morning. :( – Mark Beadles Dec 11 '12 at 14:48
  • 1
    This sounds like SiteKey http://en.wikipedia.org/wiki/SiteKey to me. RSA make it, I've never been much of a fan personally for the reasons already in the comments and answers, but it's used by quite a few large organisations including MBNA. – Rory McCune Dec 11 '12 at 15:40
  • This is exactly what SiteKey does. My bank (not MBNA) uses this too, and it's completely useless -- except for being one more interstitial page that they can put ads for banking products on. – Justin ᚅᚔᚈᚄᚒᚔ Dec 11 '12 at 17:15
  • Plenty of banks do this. The point is to "prove" it's the bank, since theoretically only the bank knows the image and passphrase. I [posted a question](http://security.stackexchange.com/questions/19155/effectiveness-of-security-images) about their effectiveness, which is pretty much nil. – Stephen Touset Dec 11 '12 at 20:14
  • I've never seen SiteKey do this. Typically they ask for a username, then they ask for the answer to a secret question, *then* they show the image and the password box. They only show you the image and password box directly after you enter your username if you've already successfully entered a secret key and chosen to remember the computer with a persistent cookie. – Xander Mar 11 '13 at 16:06

4 Answers4

9

Yes, this is flawed in two ways:

  1. It allows an attacker to enumerate usernames simply by trying them and checking the response.
  2. It allows an attacker to get your "secret" image using a non-secret piece of information. This amounts to absolutely nothing in terms of security, and is simply theatre.

On top of that, I can see another potential hole: the attacker may not even have to download the images. If all you require is a valid username, what's to stop the attacker from creating a phishing page that uses the same mechanism as the real site to retrieve the picture from the real bank's server?

The correct implementation would be to have two authentication tokens, and only show the image after one of them has been correctly entered. This is usually done via a password and "secret word", but you could equally use a strong second factor like a hardware token.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 3
    That's an excellent point. A completely untargeted phishing attack could simply forward the username provided to the real server and retrieve the details provided. Purely theatre, I agree. In fact the false sense of security this provides is potentially detrimental to the security of the system overall. – mckiethanks Dec 11 '12 at 12:53
  • If it is being done right, it should be randomizing the image tag and position within the html source. It's an obfuscation so not very meaningful, but still protects against the simplest leak attacks by raising the difficulty slightly. That said, if they are not generating consistent images for unused usernames, the real security cost of leaking that information far outweighs the minor benefit of the image system and it also likely does damage because it makes more advanced phishing attacks more convincing. – AJ Henderson Dec 11 '12 at 14:04
  • 3
    @AJHenderson Unlikely to be useful. Regex can easily match image tags, and the parent element can be trivially identified from that. – Polynomial Dec 11 '12 at 14:41
  • @Polynomial - I agree, it adds far less than it costs, I was just trying to explain what the (flawed) reasoning behind it was. It only deters the most incompetent of phishers, though an organization like BoA I know from experience (my inbox) gets a lot of the incredibly dumb phishing attempts. They are taking a break/fix type approach similar to virus scanning, but aren't thinking things through all the way in terms of unintended consequences to user confidence. – AJ Henderson Dec 11 '12 at 14:50
5

The idea behind this is that it prevents a simple static phishing attack so it does raise the bar to require slightly more complex code to build the phishing site. If done "properly" the image should not be the only image on the page and should have a randomly assigned ID. In theory, this makes it require more effort to phish the page, but doesn't add anything particularly meaningful from the security stand point since it doesn't actually prevent it from being done. In practice however, it makes a phishing site that does go through the effort to pull the image far more believable to users. There is a nice paper on the topic if you want further reading.

The bigger flaw is that such a system requires that a picture be shown for any valid username. They should be presenting a consistent image for any unused username so that information about valid usernames is not leaked. This is the far bigger concern. The image thing isn't really a concern in itself, since it doesn't hurt anything by itself, but the username issue is a huge increase in attack surface since it removes an entire unknown.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

From the Wikipedia page that Rory McCune linked to:

A Harvard study found SiteKey 97% ineffective. In practice, real people don't notice, or don't care, when the SiteKey is missing, according to their results.

SiteKey is designed to prevent users from disclosing their login credentials to a phishing site. The rationale is that a phishing site wouldn't have the SiteKey info for a user. The obvious flaw in the design is that a phishing site can get the correct SiteKey info from the genuine site, then serve it to the user, "proving" its legitimacy. SiteKey is thus susceptible to a man-in-the-middle attack.

It also requires users to keep track of more authentication information. Someone associated with N different websites that use SiteKey must remember N different 4-tuples of information: (site, username, phrase, password).

Don't think I could have said it better myself. Bottom line, if your address bar doesn't turn green when you open your banking site's front page (a feature of most current browser versions indicating the site has presented a valid and highly-trusted EV-SSL certificate), then don't enter your credentials. Anything else the site can provide to you personally to prove its validity is way too easily spoofed.

Community
  • 1
KeithS
  • 6,678
  • 1
  • 22
  • 38
1

I don't see how this setup would be more vulnerable to phishing attacks than other authentication schemes. This authentication method doesn't make phishing attacks easier, it may make it more technically challenging by forcing the attacker to take the step of visiting the site to get the pictures to display on their fake website, but that's something a skilled attacker would have no problem doing.

This isn't a good method as it doesn't improve the security of a user's banking, but it isn't less secure than simple username/password authentication.

Keep in mind if an attacker with the right skills has a someone's banking username and their email address chances are they have a good chance to orchestrate a successful targeted phishing attack no matter what the bank's countermeasures.

The main flaw here is that the site responds, as @mckiethanks says in comments, "Please check username" to unknown usernames. This allows an attacker a useful piece of information, ie the username in the first place. The smart way for the bank to design it would be to respond to every attempt with a set of pictures whether the username exists or not.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • 1
    Providing an unknown username causes the page to respond "Please check the username". – mckiethanks Dec 11 '12 at 12:29
  • 6
    It allows an attacker to enumerate all usernames and "security" images. Even easier for targeted attacks. Not secure at all; in fact it's giving users a false sense of security. – Polynomial Dec 11 '12 at 12:33
  • Definitely agree with OP and @Polynomial. – Henning Klevjer Dec 11 '12 at 12:42
  • @mckiethanks, I've edited as a result. How disappointing of them, they really missed a trick! With a bit of imagination they could have had a decent method. – GdD Dec 11 '12 at 12:43
  • @Polynomial, most users don't know enough about these things to gain a false sense of security. The only conceivable benefit to this method is that the attacker has to take the step of visiting the site to get the images in the first place, which is of course offset by the poor implementation. – GdD Dec 11 '12 at 12:45
  • @GdD From the sounds of it, the attacker may not even need to do that. – Polynomial Dec 11 '12 at 12:46
  • @Polynomial, not sure where you mean by that. – GdD Dec 11 '12 at 12:49
  • @GdD See my answer. If the bank's web page can get the images using only a valid username, what's to stop a 3rd party page from doing the same? – Polynomial Dec 11 '12 at 12:51
  • 1
    Nothing, that's exactly my point. An attacker could design a site to pull the images off the bank's page and serve them the same way, then when a user is duped the attacker gets their passphrase and their picture. It's not appreciably different to phishing with just a username and passphrase. It adds no security at all, so it's totally useless. – GdD Dec 11 '12 at 13:16