Making Phishers Solve the Captcha Problem

The more I read about Bank of America's solution to the phishing problem, the more I believe it susceptible to man-in-the-middle (MIM) attacks. The Wall Street Journal today described their new system, called SiteKey, in a bit more detail. The BofA site describes it as well.

As I understand it, if you haven't signed into SiteKey before, you will get a randomly selected challenge question. Once you've answered the challenge successfully, a secure cookie is deposited on your PC. Subsequent authentications from that PC will force you to view a pre-selected image that will confirm you're signing into Bank of America, rather than a spammer's zombie machine in Chung Li, Taiwan.

Sidebar: isn't it odd that when you go the Bank of America site, you immediately note that the page is presented in cleartext ("http://"), not SSL ("https://). The first step to combat phishers is to provide an SSL connection... first time, every time. Customers need to get used to expecting a secure connection on every BofA page. Yes, their sign-in operation itself is secure. I just think it a tad bizarre that every page isn't secure as well. Just for the customer's peace of mind.

As far as I can tell, there's no way for SiteKey to distinguish a malicious, zombie PC from a user's virgin computer. The zombie PC could present a false BofA store-front to the victim and proxy login information from the user to the bank and any resulting pages and images from the bank to the victim.

Step 4 of the BofA SiteKey page even states the following:

If we don't recognize your computer: We will ask you one of your secret SiteKey Confirmation Questions. After you answer your question correctly, we will show you your SiteKey.

Sounds like it's completely susceptible to a man-in-the-middle: the classic phisher's false store-front.

I believe you've got to make phishers solve the captcha problem.

A Blogger Captcha

You know captchas: they're the odd-looking images representing stretched or melted alphanumeric text that can (presumably) be read by humans, but not malicious bots.

The example at right is the kind of captcha that Google's Gmail service employs. Mail services require strong captchas to prevent spambots from signing up for their free email services for mass-spam campaigns. We need more spam like GM needs more healthcare costs.

The challenge for systems like SiteKey is to create a captcha-like problem for phishers. I think I have the seeds of just such a solution. The idea is to make a man-in-the-middle attack bloody difficult.

Educating the users to expect an "anti-fraud" checklist on the sign-in page is obviously the first order of business. This can be achieved through a snail-mail campaign or equivalent PR effort. Once customers expect the anti-fraud checklist, the next action in the campaign is to:

Squeeze the man-in-the-middle

Force the man-in-the-middle (MIM) to present information specific to both the client and the server. After the user has entered a sign-in name, the anti-fraud checklist page depicted above, should appear.

The key element of the page is a GIF or JPEG image, dynamically created like a captcha, consisting of the three checklist items depicted at the top of this article.

The MIM gets squeezed by changing fonts

Why is this checklist so difficult for a MIM to present?

Checklist item 2: In a normal situation (with no MIM involved), the bank's server should be able to deduce the client's general location through IP-address geo-mapping.

For the MIM to present the correct location data, it will have to use an IP-address-to-geographic-location mapping algorithm and deduce it on its own.

Checklist item 3: The server has non-sensitive information about the customer (e.g., a check number that recently cleared) that can be presented on the page. This is called a "shared secret" that only the customer and the bank should know.

And for the MIM to retrieve a valid shared secret, it will have to screen-scrape the third line of the checklist from the image the bank has presented.

Captcha problem: Once the MIM has accomplished numbers two and three, it now has to somehow merge the images in a way that looks consistent. But the fonts are changing, the font sizes are changing, and the colors are changing. They're selected randomly.

Without some serious artificial intelligence, the MIM is trapped having to solve a classic captcha-style problem. And I, for one, thinks that's a hard road to hoe for the phishers.