The argument the demonstrators make is that the SiteKey protection is useless. I would counter that this is not the case. Their demonstration does illustrate that the man in the middle attack can work for a small number of phishing attacks.
The attacker gives up something in order to pull the man in the middle attack off that they wouldn't otherwise need to. The server that is running the attack has to actually make an http request to Bank of America in real-time. It need not be that exact server, but some server has to do this.
If it is a real web server, Bank of America could do interesting things if they are suspicious of the login, for example probing port 80 (in real-time or asynchronously). Or, keeping a database of ip addresses that are known to be ISPs versus datacenters (presumably the demonstration was done from an ISP ip address).
If the attacker somehow re-routes the request through a real ISP in real-time, it becomes easier to track the attacker in the real (legal) world. Now all of the sudden the ISP knows the address of the attacker, can track down the machine doing the attacking, etc.
In either case, Bank of America can detect the attack very quickly because of a large number of unique connections from the same IP address.
If the attacker goes one step further and re-routes the sitekey requests through a botnet, then bank of america loses alot of defenses. The botnet is on real machines on real ISPs and always a different IP address. But this makes it much harder for the attacker to pull off because they have to set up a botnet.
Couldn't you use the millions of bots floating around the net? Just rotate through them? Or run it off your computer at a Starbucks, then after a couple hours move to another?
Also, don't phishing schemes usually work by sending out tons of emails and ensnaring only a few suckers? I would think a phishing scheme that netted 25 bank accounts would be considered a tremendous success.
How many does BofA have to allow from one IP per day to account for wifi hotspots? 5-10 minimum? Enough that a phisher can do some serious damage in terms of dollars I'd imagine.
To be fair, I don't know or claim that Bank of America is doing any of this, just that they could. And even if they did, that wouldn't make SiteKeys foolproof, but nothing really is completely foolproof, all you can do is is be more or less foolproof.
Ha, I sent three different online banks emails about this crap over a year ago, telling them that their stupid images and placing logins and passwords on separate pages were nothing but annoying.
Unfortunately, even if they watch this video demonstration, they will do nothing about it. Those images exist only to make customers feel more secure, because we've all come to equate security with annoyance.
While this is a good demonstration of a phishing, it's not very technically challenging.
Approaches to preventing phishing attacks relies on SSL certificates, phishing filters, and browsers making it hard for inexperienced users to make silly mistakes.
Why not client certificates? I'm pretty sure that's what my bank uses, they've got a java-applet that talks to a small binary file in my homedrive. The technology is simple (to implement) and well proven, guarantees security end-to-end.
it isn't about stupidity. if we can all use the latest technologies when we're 60 years old w/o getting a little confused then i'll be impressed, and we're not stupid.
The attacker gives up something in order to pull the man in the middle attack off that they wouldn't otherwise need to. The server that is running the attack has to actually make an http request to Bank of America in real-time. It need not be that exact server, but some server has to do this.
If it is a real web server, Bank of America could do interesting things if they are suspicious of the login, for example probing port 80 (in real-time or asynchronously). Or, keeping a database of ip addresses that are known to be ISPs versus datacenters (presumably the demonstration was done from an ISP ip address).
If the attacker somehow re-routes the request through a real ISP in real-time, it becomes easier to track the attacker in the real (legal) world. Now all of the sudden the ISP knows the address of the attacker, can track down the machine doing the attacking, etc.
In either case, Bank of America can detect the attack very quickly because of a large number of unique connections from the same IP address.
If the attacker goes one step further and re-routes the sitekey requests through a botnet, then bank of america loses alot of defenses. The botnet is on real machines on real ISPs and always a different IP address. But this makes it much harder for the attacker to pull off because they have to set up a botnet.