Bank of America’s requirement of Adobe Flash for my “security”
Category: Blog

While I am generally a fan of any security measure which improves your online safety, especially related to online finance, there has always been a nagging thorn which made me dislike Bank of America’s SiteKey / SitePass two factor authentication system. It all boils down to it’s requirement of having Flash player installed just to use it. Flash’s issues are well documented on the web, so I won’t bore you by repeating them here. Instead, I stumbled across a work around, while albeit clumsy, that does do the trick so I don’t have to fire up Chrome every time I want to log into Bank of America.

Doing a little digging, I found that most of the functionality on the site is handled via a smidge of Javascript (not generally well written I might add), HTML cookies, Flash local storage, and of course an utterly pointless flash movie to request / type in a 6 digit code (why not just a simple XHR backed form!?!?). Upon investigation, it seems the Flash locale storage is used only as a fallback in case the cookie data is missing (and presumably, also to share cross browser). As long as you have a ‘PMData’ cookie, the Flash local storage appears to not be used.

Ok, so now we know we don’t need Flash for local storage, how about the Flash movie for entering the code. Rather than decompiling their SWF or sniffing traffic, I decided to skip that. For the instances where I need to type in the code (large money transfers), I can just fire up Chrome as that doesn’t happen but few times a month at most (unlike logging in and viewing my account). Instead, let’s see if we can get Bank of America to recognize my Safari browser as being one previously registered, despite it can’t register due to lack of Flash. I first started off by copying all of my B of A cookies from Chrome to Safari. This somewhat unsurprisingly did not work. On a whim, I decided to switch my user agent in Safari and see if having it identify as the same UA would fix it. Shockingly, that is all it took and now I can log in (and it shows my personalized SiteKey and all, expectedly). Going back to sign in again with a fresh browser window to repeat the test sequence, I found that the UA switch wasn’t even necessary anymore. Thus, I can’t obviously confirm it’s “required” to switch the UA, so if you are repeating my results, please let me know if your experience differs.

Now, anyone with any paranoid / security mental tendencies are likely going WTF!? Yeah, me too. Isn’t the whole point of having a formal process for “registering” a new computer permanently is it must be something which should not be able to easily be worked around in 30 seconds by anyone with even an intro level understanding of HTTP? If all it takes is my cookies combined with a specific user agent string (??), then aren’t we really adding trivial (if any) security to the process and are in actuality doing more like the TSA (aka security theater, “make you feel safer”)? I went ahead and reached out to Bank of America’s security team, but haven’t had a response (and don’t really expect one either).

Unfortunately, this isn’t an easy problem to truly solve correctly. Anyone have great ideas on how to get the Internet to standardize on a single login scheme across the globe which has a superb user experience while maintaining two-factor or better authentication when needed all in some workflow? If so, I’m all ears and ready to jump on helping make it a reality in my free time!

UPDATE: Here’s a great security paper on SiteKey… worth a read! http://www.redforcelabs.com/Documents/SiteKey.pdf

Leave a Comment

Spam Protection by WP-SpamFree