Chris Soghoian, a graduate student in informatics at Indiana University (Bloomington, IN, US), has demonstrated how phishing schemes can be implemented using man-in-the-middle methods— Sitekey image, Passmark image, or Yahoo personalized sign-in seal—that circumvent what banks are touting as a means of avoiding them. He has a video demonstrating how it works, and it’s getting some press coverage.
We present this demonstration of a “deceit-augmented man in the middle attack” against the SiteKey ® service used by Bank of America (the underlying technology is also used by other companies). This, or a similar attack, could be used by a phisher to deceive users into entering their login details to a fraudulent website.
On his blog, Mr. Saghoian describes steps that users can take to ensure that they are making a trustworthy connection to their banks and other financial institutions. Mac users, don’t feel smug; this problem has nothing to do with a computer’s operating system, but with what happens to the data transmitted over the Internet.
Link to Mr. Soghoian’s blog entry on the topic and to the video documenting it. His work’s been covered by three sources that I often read: the Washington (DC, US) Post, the University of Virginia Cavalier Daily, and the Chronicle of Higher Education.