False security: Is Bank of America lying to its customers?

A bank that guarantees its online users safety and security has direct evidence that its Web-based banking system may not be 100 percent bullet-proof.

Should that bank tell its customers? And if it doesn't, is it misleading, or even worse, lying, to them?

Bank's logo

(Credit: BofA)

Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon. Instead of having its customers log in with just a user name and password, these new schemes require some third bit of information.

Some banks choose to issue their customers a cryptographic hardware token (a keychain with a digital display that spits out a new random number every 60 seconds). Others, especially those banks with less profitable customers, have opted to instead adopt software solutions. The advantage of this, of course, being that they don't have to spend any money to send widgets out to their customers.

BofA's SiteKey two-factor authentication system is essentially a rebadged version of the PassMark system sold by RSA/EMC. Other banks that have licensed the technology include Pentagon Federal Credit Union, Vanguard, and U.K.-based bank Alliance & Leicester. Users of SiteKey and similar systems select a graphical image and phrase, which are then displayed to them every time they login to the Bank of America Web site from "trusted" computer (that is, one that BofA has seen before).

According to Bank of America's own numbers (PDF), over 21 million customers use their online banking system. BofA's Web site promises customers that the SiteKey system will keep them safe, stating: "You know it's really us--when you see your SiteKey, you can be certain you're at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."

How SiteKey Works

(Credit: Bank of America)

The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.

On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system. Finally in April 2007, Professor Markus Jakobsson and I announced a working demo of a successful man-in-the-middle attack against SiteKey. Based on advice from lawyers, we did not release an easy-to-use version of the system, nor were we able to provide access to the demo to others online. To provide the factual support for our claims and to demonstrate how relatively easy such an attack would be to perform, we released a screen-captured video of the demo, as well as source code that would allow an advanced user to download the SiteKey image from any remote, untrusted machine.

Our demo got quite a bit of press attention, with mentions in The Register, ZDNet and The Washington Post. One of the main points we tried to make when we put our demo online is that Bank of America is promising its customers something impossible. By telling users that the SiteKey image guarantees they are visiting BofA's Web site--and not a phishing page--Bank of America is giving its users a false sense of security. Were BofA to instead acknowledge the risks of phishing and man-in-the-middle attacks, users might be more cautious when logging into suspect Web sites.

Shortly after we released the demo, Louie Gasparini, chief technology officer for RSA's Site to User Authentication group was interviewed by Brian Krebs at The Washington Post. He said that our attack demo "overlooks a number of back-end technologies that financial institutions use to detect fraudulent transactions."

"What they're critiquing is just the most visible piece to this technology," Gasparini added. "There is a whole bunch of risk management and fraud detection that goes on behind the scenes so that even if a user's account does get compromised, the bank can still protect that person."

Gasparini's comments mirror those of Betty Riess, a spokeswoman for Bank of America with whom I chatted on Tuesday. Reiss made it a point to mention that SiteKey is just one part of BofA's multipronged approach to security. However, she declined to comment further when specifically asked if the text on the SiteKey page is misleading, or if Bank of America has a responsibility to be honest with its users about the risks of man-in-the-middle attacks.

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

Watch our video of the man-in-the-middle attack against the SiteKey system, read Bank of America's promises of safety and security on its Web site, and decide for yourself.

[rcrusoe]

Trust everyone,

but cut the cards. (i.e. verify, verify, verify)

While I was not aware of this vulnerability, I've always thought it wise to verify ssl credentials on every page, every time I do business online - whether on BofA's site or any other commercial site.

And to be aware of what I need to do to take advantage of BoA's $0 liability policy.

http://www.bankofamerica.com/onlinebanking/index.cfm?template=security

Is BofA lying? IMO, that depends on what they do when a customer falls victim to something like this.

[o8justiceforall]

Why aren't banks secure?
The whole idea behind keeping your money in a bank vs. in your mattress is that a bank is secure. The banks are FDIC insured for accounts up to $100,000.00 which is higher now due to the economy. The issue these days is that we are getting our identity stolen right at the bank. Here is an example below of one who had over 200 accounts opened up under his name and a huge amount of cash...yes I said cash taken out of his account without having to verify a valid ID.

What is the answer? Do we keep our money in the mattress? Do we make the courts do something? Tell me your thoughts.....

http://o8justiceforall.wordpress.com

[groyal]

Something for Marketing Profs

A marketing assertion is something that falls into the reasonableness test which is one big fuzzy line. We have consumer protection agencies whose job it is is to test for reasonableness in marketing if someone actually objects to it.

The difference between the face cream and the BOA statement is that in the face cream example, the outcome is wholey objective as to whether or not a person will look 20 years younger. Whereas the out come of the BOA statement is mostly objective. You can prove the opposite. Even if it is 99.9% safe then the assertion is not true, as you may have proved. However the problem for banks is that how much does it cost to get the extra .09999% reliability?. Then again that is what insurance is for.

[arluthier]

Multi-pronged Plastic Spork

If this multi-pronged approach banks use is so successful at protecting the customers (as the BofA quote mentions) how is it that so many man in the middle attacks have been successful?

[ddesy]

Correction...

"Bank of America, like many other financial institutions in the U.S., has jumped on the "two-factor" authentication bandwagon."

This isn't a "bandwagon." It's now legally required that banks have two-factor authentication. There are a number of different types, but one of them must be used.

[sumo300]

Correction #2

This legal requirement is for true two-factor authentication (something you know, something you have, etc). SiteKey is an extra "something you know", which does not constitute it being two-factor authentication. SiteKey is garbage.

[alflanagan]

Surprised?

Does anyone expect any corporation to tell the truth any more? We've created a culture that rewards them for lying and punishes them for telling the truth. Now people can't even tell the difference any more.

[gregconnor]

Guarantee vs. marketing claim

B of A states you "can be certain you're at the valid (B of A site)" when you see the SiteKey. This is not a guarantee, but rather a reasonable marketing claim that customers should take with a grain of salt, just like any other marketing claim. Elsewhere on the page, they position it as an "additional layer of identity verification". Their use of the word "certain" is reasonable - I can't imagine anyone thinks it is 100% safe. It's arguably safer than offline banking, but that's another conversation.

A guarantee is totally different from a marketing claim - it is dependent on the bank's actions in the case of a failure of their OLB security. You didn't provide any links, and maybe B of A does not state it explicitly, but I'm reasonably sure that they would make whole any customer who loses money due to a MITM attack that compromises its SiteKey.

[whythebite]

while on the phone to B of A 11 days ago, clarifing the credit limit on my $ 50,000 HELOC,in which for 3 months my total outstanding balance kept going $71.00 over the 50000 and i used $49,850 purposely not to exceed the LOC.My monthly payment is $221.00 per month( to my surprize, all of everbodys Bof A HELOC payments are in the rears) taking my outstanding balance to $50,071.00 . this was brought to my attention several months ago when making a phone payment , that all thought you have not reached your credit limit , payments in the rears puts you over your limit each month and this will be reported to the credit bureau. (the person at that time sounded honest so I will take heed and make sure it gets done) .so for months I have been calling back to make sure this was not damaging my credit score.after calling and calling maybe 5 times to Bof A , phone personal all said they have no referance to this credit reporting and I ask them to check with their boss and time after time, oh no sir that makes no bearing on your credit or oh no this is not reported monthly . Eventually I was not taking the chance and went with my gut feeling, so this time calling I insisted on depositing $80.00 into my BofA Equity Maximizer HELOC in which took my total principal balance down to $49,770.00 , that person said this deposit will not reflect on that acc until midnight tonight. *** while on that same phone call 11 days ago *** I also inquired as to an increase on my home equity line of credit , and Bof A said there is a $10,000 minimum increase, I did not need that much,this $ was to cover odds and ends credit card ($3,400) used durring my remodel which is pretty much finished . when I found out the APR on my loan would go from a 5.25 % to 7.25% taking my payment from 221.00 to 343.00 per month,well we won't be needing that loan increase! So I said to the person NO, NO, NO, I will not accept that ,I can pay the cards off faster ]so i declined and asked for a confirmation #on the decline of LOC increase, and I was told we don't issue a confirmation# for the decline of LOC increase. but we B of A will give you a referance # pertaining to the $80.00 payment above ,so I got the ref # and the persons name ,time,date yada yada. the next morning apx 10am I checked the balance in my checking acc and the $ 80.00 had been deducted from my checking acc. I thought great!.and for some odd reason that afternoon I checked my check balance again. misteriously the $80.00 was credited back to my checking acc.I was exhausted on day 2.Day 3 I am up early PST, so I call south Carolina B of A HQ and because I'm located california they said I will have to call the CA HELOC office , once again I called Bof A CA HELOC office to make sure that " additional" payment was made and to make sure the application cancelation for LOC increase was reconized, and I questioned the fact why my check acc balance the very next morning showed a $80.00 deduction on day 2 and in the afternoon that same day the check acc bal showed no deduction was ever made,the person paused , I figured must be looking at the account ! the B of A person responds NO that payment was not credited yet, and yes that LOC increase app canceled . 3 days later that "additional" HELOC payment was credited . WELL THIS WHAT HAPPENED yesterday I recieved 2 letters from B of A ,one letter states that we sincerely regret we are not able to approve your recent HOME EQUITY LINE OF CREDIT application ( which I did not want ,just inquired ),and the other letter is a copy of my credit rating from EXPERIAN. my credit rating droped 72 points in 67 days, during this time there were numerous dropped phone calls, so many I finally asked one of the phone people and their responce was well thats been happening in the mortgage department .I have to say oh thank you very much Bank of America for allowing me to be such a valued customer. PS;you got me for 10 extra points on the way into this loan, because of your HQ paper work dept apparently did not receive what your loan officiers sent 3 different times with fax transmission received notifications, stalling for time during the loan process allows the financial institution to check your credit rating every 30 days( lowering your credit score and raising your credit rate . mine took 36 days,this is not accidental or careless.Bank of

[o8justiceforall]

IS BANK OF AMERICA ABOVE THE LAW???

The Government is balling out the banks for 700 Billion without investigating enough. The people who are losing their jobs and home needs the money, not the banks!

CAN SOMEONE PLEASE HELP ME? AS WELL AS OTHER VICTIMS BY THE BANKS.

It all started, in February 2006, with a not reported bonus of 200,000$ to my bookkeeper of 20 years has turned into a missing of hundreds of millions dollars in art, wine and cash by former trusted employees and Bank of America refuse to help me. In search for answers, I have begged my bank, Bank of America which I am client for over 15 years, to provide my complete file, canceled checks, deposits, withdrawals, interest earned, monthly statements, signature cards and corporate resolutions among others, for almost 3 years beginning February 2006 but to this day I have receive almost nothing.

After 5 subpoenas served on Bank of America I still do not have my documents. The officer of the local Bank of America has responded, on three different declarations under oath and penalty of pergery turned over everything but breach these declarations by continuing to produce documents in between each of them which is against the law. IS BANK OF AMERICA ABOVE THE LAW??? They have permitted cash withdraw in millions by others from my accounts and permitted opening of accounts in my name without my knowledge. Over 25 accounts were unknown to me until June 2008. How could Bank of America do this? Is this the consequences of corruption? Or a major cover up?

I am still without answers and the bank continues to withhold my complete files. All my rights are violated and the Government must do justice. There are hundred millions of dollars missing from my accounts. I believe only the Government can force them to comply. For almost three years, I have requested, by writing, the IRS to help me on this matter and to audit me but I have not yet received an answer.

PERHAPS, NOW, SOMEONE WILL FINALLY LISTEN!

IS THIS DONE TO ALL THEIR CLIENTS?
http://o8justiceforall.wordpress.com/2008/12/15/bank-of-america-are-they-above-the-law/

[hotdogsteve69]

I called bofa the other day because my car was changed from 13 to 25.99 percent on my credit card.I was very upset so I called and they refused to lower the apr which they said they had given me a chance to opt out on my statement.Honestly I don't check my statements every month ,I usually just look at the amount I owe and pay it on time.I have never been late on a payment and my credit is good.I cant believe they can get away with this,and then they closed my account without my authorization,and I still have to pay the 25.99 percent until its paid off.My advice to everyone is to check your statements every month because its places like bofa that instead of helping you they find ways to screw you.
from steven in san francisco

[o8justiceforall]

Bank of America is ranked one of two of the highest for identity theft, according to the site belows statistic.
http://blog.wired.com/27bstroke6/2008/02/bank-of-america.html

What I find absolutely disgusting is that they are being bailed out yet again buy us ...the tax payer....not like the media...the government said it is a "government" bail out....who do they think pays for the government?
Do a search on Google for Bank of America identity theft you will find over 600 thousand hits as I did. They are not only pulling the preverbial wool over the consumers eyes they are even suing customers who have had their identity stolen through Bank of America...What judge is allowing this?

http://digg.com/business_finance/Bank_Of_America_Sues_ID_Theft_Victim_For_23_312_04_2

I have another case below where they "Bank of America" has allowed over 200 accounts to be opened under one person without so much as verifying to the real person that this was them through signature card, valid ID or anything....

http://o8justiceforall.wordpress.com/

So what is the customer supposed to do?

[SHORT_SELL_BAC]

SHORT SELL BANK OF AMERICA (BAC)NOW!!!

IF BANK OF AMERICA STOCK FALLS BELOW $5 PER SHARE, RULES OF INSTITUTIONAL OWNERS MAY REQUIRE THEM TO SELL THEIR BAC HOLDINGS. THE OTHER DAY THE STOCK CLOSED AT $5.10, APPARENTLY REFLECTING THE SCRAMBLING BY SOME TO SUPPORT THE STOCK PRICE.

ACCORDING TO TEH "SHORTSQUEEZE.COM" WEBSITE, 44.10% OF BAC IS HELD BY INSTITUTIONAL LENDS. WHILE SOME DO NOT HAVE THE $5 PER SHARE LIMIT RULE, THE SELL OFF OF BAC COULD BE MASSIVE IF THE STOCK GOES BELOW $5, SENDING BAC PLUNGING TO GREATER LOWS.

BAC HAS TREATED ITS CUSTOMERS IN INAPPROPRIATE WAYS FOR A LONG TIME. FRANKLY, I WAS ONE OF THOSE CUSTOMERS LIKE MANY OTHERS ACROSS THE US. IF BAC FELL, DEPOSITERS WOULD TAKE A LOT OF THEIR MONEY TO LOCAL BANKS, BANKS WHO ARE IN FACT LENDING AND SUPPORTING THE US ECONOMY. IT IS TIME FOR BAC TO GO!!!

SHORT SELL IT NOW. WHILE THE ELECTION IS OVER, YOU CAN VOTE BAC OUT WITH YOUR DOLLARS. EACH ONE OF YOUR DOLLARS IS A VOTE. EVEN IF YOU CAN ONLY AFFORD TO SHORT SELL A FEW DOLLARS OF THE STOCK IT COUNTS.

REMEMBER OBAMA GOT ELECTED BECAUSE MANY OF US SUPPORTED HIM WITH JUST A FEW DOLLARS. VOTE BAC OUT TODAY

[uwinok2003]

Bank of America just raised my rate from 9.99 to 13.99, I never missed a payment or made a late payment and always paid over the due amount. The management of this corp bank is the real traitors and terrorists of this country. Everybody, pay these bastards off, and write to your US Senator and Congressman and
tell them, you will not reelect them unless they make these banks stop ripping off the American people. It's
only going to get worse, unless we stop them now. The greedy rich are rotting this country from within. The banks are the tools of the rich to wipe out the middle class. Wake up America

[swampmudrock]

I faxed them the last fax I will ever fax them today. I have never seen such unprofessional , heartless , incompitent behavior in my life , We started our refinance with Bank of America on January 15th it is now April 28 , they have changed the rules from the beginning , it cost us 450.00 dollars to begin the refinance knowing that if we refused the loan we would not see it again. They have raised the intrest rate lowered our asking payout we can understand that in these times that acceptable , told us we had to have a reserve of 3000.00 dollars in our account , that was an unexpected ball breaker what the hell if I could sit on 3000.00 I would not even bother to refinance, all this after the fact. We have had 4 different loan processors all of them asking us to fax the same information over and over agains , quick spoken messages for information on our answering machine asking for the same loan onfo , when we call bac k we can never get thru to the loan processor we have told them we can take no more 4 months of this hell is all I can take . If they did not hold all my accounts I would not pleep and tell the exactly what I feel. Its not that we do not qualify my wife and I have exellent credit scores we have a thriving floor buisness with 3 Lowes accounts have never missed one payment in 9 years with our Bof A mortgage. How can they sleep at night I do not know. So I have done my last fax game with them , I only wonder where all that personal loan information we have faxed them has ended up , We plan to pull all our 5 accounts out go to the nearest small town bank we can find and never ever look back. I only hope this letter may save someone the uneeded expense and heatache we went thru.