Thursday, July 14, 2005

Bank of America

USA Today reported Bank of America is rolling out a new online banking security system aimed at making it harder for cyberthieves to crack customer accounts, an effort that comes as the industry struggles with a recent string of high-profile security breaches.... Bank of America launched its new online security system, called SiteKey, last month in Tennessee. It is being rolled out this week in Virginia, Maryland and Washington, D.C., and should be available nationwide by the fall.... Bank of America's new system was created by PassMark Security, a Redwood City, Calif.-based company that manufactures authentication systems aimed at blocking identity theft and other fraud. Bank of America is offering it to online customers at no fee.

Instead of the traditional user name-password setup, SiteKey users select one of a thousand different images, write a brief phrase and pick three challenge questions. The challenge questions — all things that only the customer would be able to provide, such as the year and model of their first car — are then used along with a customer ID and a passcode to guard access to the account.... The SiteKey system also allows customers to verify that they are indeed at Bank of America's Web site when they log on for online banking. By clicking on a SiteKey button, they can see the secret image they selected and their phrase; if those things don't appear, they could be at a spoof Web site or the target of a "phishing" scheme, Gupta said.... Bank of America compares SiteKey to getting a safe deposit box with two keys. Before the customer and the bank agree to open the box together, they must confirm each other's identity....

Wachovia Corp. spokesman Doug Caldwell said the Charlotte-based bank is researching online authentication programs and plans to unveil its own system later this year. Among the options being explored is the use of tokens — battery powered devices that typically display a different, randomly generated number every 60 seconds. To conduct online transactions, a customer would be required to enter the number currently shown on their token's display, as well as a user name and password. Bank of America spokeswoman Betty Riess said the bank looked at tokens and other options with focus groups before choosing SiteKey. "We found this provides the right balance of added security and convenience," she said. "We found consumers did not want to have to get another device like a token to do their online banking."


I find this interesting because I bank with Bank of America, and do most of my banking online

1 comment:

Ellis M. said...

This is BEYOND stupid. The first time you sign on to BOA’s web-site on a new computer (I do it quite often as I travel and use different computers nearly every day) it asks you for your user-id and password.

*THEN* (step 2) it prompts you to answer your challenge question.

*THEN* it presents your site-key so you can verify that the bank is YOURS.

WHAT???? If this was a phishing site they now have my userid, my password, and my challenge question answer … but NOW I can see that it’s a fake site. Oh good.

I may be a former Bank of America customer soon. If this got past them I can’t imagine what else they missed.