Bank of America Website Verification Meaningless to Users
07 Feb 2007

Bank of America Website Verification Meaningless to Users

07 Feb 2007

An MIT and Harvard study (via Slashdot) unveils that the SiteKey system employed by Bank of America, ING Direct and Yahoo!, among others are likely ineffective at protecting users against fraudulent sites. The SiteKey system is based on assigning an image to a user’s account and presenting it prior to the user entering a password. If the SiteKey does not match the user’s account image, he/she should deduce that the site is not authentic, and thus not safe to enter private information. The results of the study (based on Bank of America site and users) shows that a vast majority of people ignore the SiteKey clues along with the often-overlooked HTTPS indicators. In fact, only 2 of the 25 (8%) participants using their own account, and none of the other 42, chose not to enter their passwords when the site-authentication image was replaced by an upgrade message.

Another interesting finding in the study was the contrast between behaviors of participants that were role playing for the study and those that were actually inputting sensitive information. Definitely worth a read and the final paper is set to appear at the IEEE Symposium on Security and Privacy from May 20-27, 2007 in Oakland, California.


Leave a comment
More Posts
  1. P.J. Onori February 27th, 2007 11:00AM

    Long time, no comment – my apologies. 🙂

    Very interesting to say the least – I never really understood this tactic and, frankly, it seems somewhat useless. I can definitely see how people would not make that connection.

    Nice writeup!

  2. Leah March 19th, 2007 9:14PM

    I had no idea how SiteKey websites worked. I would probably be one of those 92% of users who didn’t understand what was going on. Good article 🙂

  3. Kimmy Paluch March 22nd, 2007 9:16PM

    Thanks for the comments! It is a very interesting problem that unfortunately has some problematic solutions currently being implemented. I too admit to being completely confused despite having experience with this from my programming days.


Leave a Reply