Bank of America would likely be unaware of an attack being launched because the attacker would be following the same procedures expected of legitimate website users. In this attack scenario, a single attacker could theoretically lock up thousands of BofA accounts, overwhelming the bank’s support lines with calls from bewildered customers. After sufficient invalid answers, BofA will lock the account and the attacker would then move on to the next word. The attacker’s program would then only need to supply random, nonsensical information. Each time a valid login ID is discovered, since Sitekey would detect no device ID from the attacker’s computer, it would prompt for personal information to be supplied in response to challenge questions. While it is true that the vast majority of the supplied words would likely be invalid, a small statistical percentage will be valid login IDs. Any high-school computer student could probably write such a program and it would certainly not be beyond the capabilities of an experienced webmaster or programmer.ĭuring the attack, the attacker’s program would supply words from the database to BofA’s webpage and test for a response. Next, the attacker would write a simple program to supply the information to a waiting browser. Such databases are easily obtainable online. The attacker would first obtain a database of words used as typical login IDs. This attack scenario would involve the use of a dictionary database and a simple scripting program. Sestus Data described three scenarios for this lock out attack but cautioned that many more scenarios are possible:ĭictionary Based (Automated) Attack Scenario Originally designed as a security feature, Sestus Data Corporation reports it appears this “lock out” process can be exploited by malicious hackers to remotely lock out customers from their accounts en-masse, or used by fraudsters in a hybrid lock out/phishing attack to access the actual account. If the customer answers the questions incorrectly, BofA will lock up the account and require the account owner to call customer service to have their account “reset” or released. In the absence of a device ID, however, Sitekey prompts the customer to supply the answers to personal questions, such as “What is your mother’s maiden name”. Next, Sitekey attempts to locate a “device ID” on the customer’s computer. This process has been highly criticized by the FFIEC for its potential to permit fraudsters to use counterfeit websites to gather legitimate preliminary login IDs for use in future attacks. In the case of Passmark Sitekey at Bank of America, Sitekey requires customers to enter their account login ID first, before the website has been authenticated to the customer.
Sestus Data also warned that this vulnerability is not unique to Passmark Sitekey or Bank of America, but is a vulnerability of the underlying challenge question / response approach to authentication used at many banks. The vulnerability announced today is similar to a “denial of service” attack in that it permits an attacker to remotely “lock out” customers from their online accounts, potentially overwhelming the bank’s customer support lines with calls from frustrated customers. Go to Tools then Uninstall Programs.Sestus Data Corporation announced today the discovery of a vulnerability of the Passmark Sitekey login approach at Bank of America that could permit an attacker to remotely lock out thousands of customers from their online banking accounts.
#Move dos2usb sitekey to new pc software
To do this use the Windows uninstall or use specialized software as shown here.
Warning: This trick can not uninstall software, but only withdraw it from the Add/Remove Programs list.
0 kommentar(er)
