Note that if you’re a large bank, and these tools result in even a 5% decrease in fraud losses that the bank is unable to recover, they are still worth millions to you.
you are correct. site authentication is not two factor id. I mixed the ideas up. But my point that the site key idea was in response to a Gov’t (I believe Federal Reserve) regulation that also envisioned two factor authentication. Since site id is cheaper that is what got implemented even though it doesn’t help much with security.
I wouldn’t want you to post a “how to hack” tutorial, although I note that what you did was entirely on your own computer. The bank’s web site does seem to detect if I am on a computer it does not recognize, and it re-authenticates me with challenge questions. So I have two theories about how this could work, but like I said I’m not a web developer so this might be naive:
-
HTTP includes data in the request header that uniquely identifies your computer. The bank keeps a record of that. In that case a MITM can simply read your header and spoof it when it forwards the request to the bank.
-
The bank’s site stores a unique identifier in a cookie, and checks the cookie when you log in. In that case a MITM could read the same cookie and simulate it on the attacking computer for when it forwards the login to the bank. However, I don’t know the underlying mechanism for how cookies work and if there is any security on them. That is, can any web site I connect to read any cookie they want?