Sestus Data Corporation announced the discovery of a vulnerability of the Passmark Sitekey login approach at Bank of America that could permit an attacker to remotely lock out thousands of customers from their online banking accounts.
The vulnerability announced today is similar to a “denial of service” attack in that it permits an attacker to remotely “lock out” customers from their online accounts, potentially overwhelming the bank´s customer support lines with calls from frustrated customers. Sestus Data also warned that this vulnerability is not unique to Passmark Sitekey or Bank of America, but is a vulnerability of the underlying challenge question / response approach to authentication used at many banks.
In the case of Passmark Sitekey at Bank of America, Sitekey requires customers to enter their account login ID first, before the website has been authenticated to the customer. This process has been highly criticized by the FFIEC for its potential to permit fraudsters to use counterfeit websites to gather legitimate preliminary login IDs for use in future attacks.
Next, Sitekey attempts to locate a “device ID” on the customer’s computer. In the absence of a device ID, however, Sitekey prompts the customer to supply the answers to personal questions, such as “What is your mother’s maiden name”. If the customer answers the questions incorrectly, BofA will lock up the account and require the account owner to call customer service to have their account “reset” or released.
Originally designed as a security feature, Sestus Data Corporation reports it appears this “lock out” process can be exploited by malicious hackers to remotely lock out customers from their accounts en-masse, or used by fraudsters in a hybrid lock out/phishing attack to access the actual account.
Sestus Data described three scenarios for this lock out attack but cautioned that many more scenarios are possible:
Dictionary Based Attack – This attack scenario would involve the use of a dictionary database and a simple scripting program. The attacker would first obtain a database of words used as typical login IDs. Such databases are easily obtainable online.
Casual Attack – In a less sophisticated version of this attack, a casual malicious attacker could simply go to their public library and begin testing random (or stolen) words against BofA´s webpage, and then supply invalid answers for every valid ID discovered.
Hybrid (lock out/Phishing) Attack – In a more insidious version of this attack, an attacker could combine this lock out attack with a traditional phishing attack to actually gain access to the customer’s account.