Sitekey Man-in-the-Middle Demonstration Defeating Sitekey 101 - A School Project The following Quicktime Movie was created as part of a research project by Christopher Soghian and Markus Jakobsson, two students at Indiana University. In this movie, the students demonstrate how easy it is to defeat RSA's Sitekey product, even to the point of remotely grabbing the challenge questions and secret image from Bank of America's website and returning it to their phishing website. If you are unable to view this Quicktime movie, you may download the Quicktime plugin from Apple here . As part of a research project, two students at Indiana University created a phishing website that appears to be Bank of America's website. Note the URL address of the student's website (http://sitekey.evil-phisher.com/sitekey.cgi). The students have previously created a legitimate Bank of America account and registered a secret image and passphrase, as well as answers to several challenge questions. First, the student enters their Bank of America login ID and location on the phishing website. When they click the Sign-in button, the phishing website's cgi script silently queries the legitimate Bank of America website and returns the challenge question from the bank's website. The students supply the answer to their challenge question. When they click the Sign-in button again, the phishing website's cgi script again silently queries the legitimate Bank of America website and returns the secret image previously uploaded by the students to Bank of America, as well as their "DaMN that works" passphrase. They enter their passcode (password). They then highlight their phishing website's URL and Bank of America's incorrect statement that, if they recognize their Sitekey image, they are on the valid Bank of America website. When they click the Sign-in button again, they display a final message informing the user that they have just been duped by a phisher. Two students defeat Sitekey at Bank of America (Click the play button below to begin the movie)

Home | Sitemap | Contact Us | Print this Page | Search

© 2008 Sestus Data Company All Rights Reserved. PhishCops® is Patent Pending. Toll Free Tel. (800) 788-1927

California (San Francisco) Tel. (415) 963-4124 | New York (Manhattan) Tel. (718) 841-7350