The
following Quicktime
Movie was created as
part of a research project
by Christopher Soghian
and Markus Jakobsson,
two students at Indiana
University. In
this movie, the students
demonstrate how easy
it is to defeat RSA's
Sitekey product, even
to the point of remotely
grabbing the challenge
questions and secret
image from Bank of America's website
and returning it to
their phishing website.
If you are unable
to view this Quicktime
movie, you may download
the Quicktime plugin
from Apple here.
As part of a research
project, two students
at Indiana University
created a phishing website
that appears to be Bank
of America's website.
Note the URL address
of the student's website
(http://sitekey.evil-phisher.com/sitekey.cgi).
The students have
previously created a
legitimate Bank of America
account and registered
a secret image and passphrase,
as well as answers to
several challenge questions.
First,
the student enters
their Bank of America
login ID and location
on the phishing
website.
When
they click the Sign-in
button, the phishing
website's cgi script
silently queries
the legitimate Bank
of America website
and returns the
challenge question
from the bank's
website.
The
students supply
the answer to their
challenge question.
When
they click the Sign-in
button again, the
phishing website's
cgi script again
silently queries
the legitimate Bank
of America website
and returns the
secret image previously
uploaded by the
students to Bank
of America, as well
as their "DaMN
that works"
passphrase.
They
enter their passcode
(password).
They
then highlight their
phishing website's
URL and Bank
of America's incorrect
statement that,
if they recognize
their Sitekey image,
they are on the
valid Bank of America
website.
When
they click the Sign-in
button again, they
display a final
message informing
the user that they
have just been duped
by a phisher.
Two
students defeat Sitekey
at Bank of America (Click
the play button below
to begin the movie)
