How Not to Protect Your Customers from Phishing
When we talk about security awareness, we sometimes say that a certain company “does not get it”. It’s hard to define how we measure that and what makes us say that a certain company does or does not “get it” (or even what “it” is) – we just know, just like you can tell which mp3 players suck or which jokes are funny but you can’t always say why.
Many security experts will agree that companies that “don’t get it” fail time after time in trivial security matters, whereas companies with high security awareness will only rarely screw up.
The Bank of America was on my list of companies who ‘got’ what security really is. From the first time I signed up to the service, I noticed they did not fall into the Security by Obstruction trap. Signing up was easy, I got to select my own username and password which means I didn’t need to write either one down (finally an online bank that understands brute force attacks should be blocked at the server side and not by forcing the client to choose an impossible password). In fact, it’s the only password or PIN that I don’t have 3-4 copies of in all my electronic and physical wallets.
Then, I was actually thrilled to see the Bank of America incorporate sitekey – a clever trick that lets you select a certain image and phrase and shows it to you when you login. This makes sure you are logging into the real bank (though it doesn’t protect against Man in the Middle attacks) and it’s a good way to educate users that the bank needs to authenticate to you just like you do to the bank.
They went the extra mile and did a few other neat tricks: they let my browser ‘remember’ the account name, but since it’s done with their code the browser never stores (or shows) the entire account name, only a part of it along with an identifying ‘cookie’ that lets the server know who I am. Someone doing shoulder surfing (or eavesdropping) will not be able to capture my account name, while I get the ease of not needing to type in my login every time.
But just when I was thinking about getting a life-size picture of BoA’s security team to hang in my bedroom I got an email from them that got flagged as spam. In fact, it was an almost one-to-one copy of other Bank of America phishing emails – are they training me to act on emails received from someone claiming to be the Bank of America? The common practice is (or should be) to send an email such as “you have a new message waiting, please log on to your account to view it”. Otherwise, after I verify the email is legit, should I trust the next email that tells me my account is suspended and I need to log on urgently to unlock it? (for my convenience, there’s a link that takes me to http://mail.sutinen.com/.e-online-banking/index.htm).
Now it gets worse. I began to think what other legitimate BoA emails I’ve been missing. Digging through my spam folder, I saw an offer for a new shiny credit card. No problem so far – except that the link is to some internal page on https://www.newbusinesscard.com. Are you kidding me? If I enter my details at www.newbusinesscard.com, why not enter them at sutinen.com? Or www.iamtherealboasite.com? or www.bankofamerica.ru?
The naïve will say that at this point you can at least use the SSL seal to verify who the owner is. While this is not a real solution, I’ll humor it only to mention that the SSL seal actually belongs to newbusinesscard.bankofamerica.com (I guess they thought the site will redirect me but it didn’t). Are we teaching users now that the SSL certificate and the domain name shouldn’t really match?
Scratching my head trying to figure out which bozo is responsible for these goof-ups, I logged into my account to see a special offer from no other than the Banc of America Investment Services, Inc. Are you guys for real? The “Banc of America”? When you partnered with this firm did you make sure the Banck of America, the Bank off America and the Bank of Amerika are all owned by trustworthy, honest individuals? What will we see next – a one-in-a-lifetime-offer by the Viza platinum card LLC?
You don’t have to be raising kids to know that the key to education is consistency. When it comes to user education for security, this point cannot be emphasized enough – with one silly mistake you can ruin years of conditioning and education. Look how long it took users to start selecting good passwords. Do we want to wait 20 years for users to stop falling for phishing attacks? I’m sure the Bank of America doesn’t – after all, they’re bearing the full cost of phishing.
I’m not trying to be specifically harsh at BoA – other banks are worse – but from the BoA I’ve come to expect better. On the other extreme, there are some that will never ever get it.