Sunday, February 20, 2005


Citibank fights phishing the wrong way

Citibank must be one of the most common targets of phishing scams around. I have lost track of the fake mails I have received and forwarded to Citibank security.

The Citibank on screen keyboard described by BetaNews smells like a publicity stunt to show that they take security seriously and that they are doing something. Or are they really clueless enough to think that this online keyboard will improve security?

It is true that some basic keyboard loggers do not work with an on screen keyboard but it is lot less secure than a normal password field:

  • It is easer to see which password the user enters as you just have to follow the mouse on screen as it clicks the characters one by one. Discovering my password by shoulder surfing is a lot more difficult as I touch type pretty fast.

  • It limits which letters can be inserted. There is no Shift key so you are stuck with uppercase letters only and a very limited set of special characters. I am not paranoid enough to use AltGr to enter random characters but I do use a mix of upper case, lower case, numbers and extended European characters.

  • This keyboard does not prevent phishing. The JavaScript keyboard will show up on the phishing sites and the phishers will continue to get the clear text username and password like they have in the past.

You cannot type in the password field, but all is not lost as they did not disable paste functionality. Good password managers like Password Safe and the one I'm working on in my spare time, continue to work as they allow you to paste the password without ever displaying it on the screen.

I feel a lot safer with other banks that offer some sort of two factor authentication:

My credit card company sends me a free SMS alert when someone charges my card which makes me feel pretty much in control.

Click here to see the folly on screen keyboard at work

1 comment: