Jim Youll, Fraud Vulnerabilities in SiteKey Security at Bank of America,
White Paper, Challenge/Response LLC, Cambridge MA (USA), 15 pp., 18 July
2006.  Available http://cr-labs.com/publications/SiteKey-20060718.pdf, 26
September 2007. 

Abstract
The SiteKey anti-phishing system used by Bank of America and other financial
institutions is susceptible to a real-time exploit in which an attacker can
create a fake web page that includes a victim's correct, secret SiteKey
image, text phrase and challenge questions. This paper discusses the
customer-facing implementation of SiteKey as seen from a web browser, the
reasons for its vulnerabilities, the risks posed by its design and by its
persistent storage of a security-weakening token, and the means by which
those vulnerabilities could be exploited. 

Possible improvements are proposed, though the accompanying discussion
argues that the single-ended authentication used by SiteKey and other
systems is not a sufficient deterrent to phishing or other online frauds.
Also included is a brief summary of a discussion between the author and
representatives of Bank of America and RSA Security regarding the paper and
the bank's overall approach to customer safety and security. This report
does not provide source code or detailed instructions about carrying out the
described attacks.
 
 
 
Challenge/Response, LLC is a creator of software that tracks and prevents
online fraud, and supports safe e-commerce.