May 26, 2005 2:11 PM PDT

Bank of America takes on cyberscams

Related Stories

Phishers get personal

May 26, 2005

More arrests promised in bank data theft

May 23, 2005
As Internet scams proliferate, Bank of America is rolling out a double-edged system it says will better protect its online banking customers against phishing and spyware.

SiteKey's image and text checks let people know they are on an authentic Bank of America Web site and also verify the identity of the customer, the company said Wednesday. The features will be introduced first in Tennessee next month. They will then be expanded state-by-state to become available nationwide by year's end, said Sanjay Gupta, an electronic commerce executive at Bank of America.

Use of SiteKey will be optional at first, but will be required once the introduction is complete, Gupta said.

"We wanted to not only protect our customers, but give them a way to feel very safe that when they come to that it really is," he said.

The features are designed to combat phishing, spoofing and spyware--three common types of online attacks that are often used together. Phishing scams, which attempt to steal sensitive information such as user names and passwords, typically use fake Web pages "spoofed" to look like legitimate sites belonging to trusted providers. Spyware is malicious software that gets surreptitiously installed on a PC and spies on the user's actions.

In April, Bank of America's account holders were the target of a phishing attempt, according to an example documented by the Anti-Phishing Working Group. Gupta said the financial institution has 13.2 million online customers, the most of any U.S. bank.

Related feature
Have you been phished?
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.

In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions. This should prevent abuse of an account even if attackers obtain the correct login credentials, Gupta said.

Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.

The technology for SiteKey is supplied by PassMark Security of Redwood City, Calif., Bank of America said.

The SiteKey features are valuable in helping maintain the confidence of consumers as they do online banking, said James Van Dyke of Javelin Strategy & Research, which publishes an annual report on identity fraud.

"This is definitely unique among large institutions," he said. "Consumers want increased mechanisms to ensuring safety."

Smaller organizations, in particular the Stanford Federal Credit Union, have preceded Bank of America in adopting more advanced security features, he said.

However, criminals don't stay within one channel, and there have been a number of high-profile data breaches, Van Dyke pointed out.

Recently several banks, including Bank of America, have had to inform tens of thousands of customers that their personal information may be at risk of fraud. The data was allegedly stolen by bank employees and sold to collection agencies by a middleman.


Join the conversation!
Add your comment
Good Idea
I hope it is used elsewhere.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
Bad Idea
I feel this is a bad idea because it is very easy to confirm whether or not an Online ID is valid for the system.

All someone has to do is randomly submit a string of characters (representing an Online ID) to the system, and if a SiteKey image and message is returned, the system has just confirmed that the Online ID is valid.

Of course, the Challenge Question may be the next line of defense, but I have typically found those types of questions to be trivial and can be easily guessed.
Posted by (1 comment )
Reply Link Flag
Challenge Question
<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by George Cole (314 comments )
Link Flag
A complete review of these countermeasures is here...
<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by directorblue (148 comments )
Reply Link Flag
looks very confusing
i looked at the the explanation on the bank site ( and i think its confusing
on the one hand they ask me to cehck I see the correct sitekey before i enter my details
on the other hand they say that if i login from a diff computer, they will nto show me the sitekey but they will ask me for secret "confirmation questions" questions
how can i tell what to expect?
how do i rememeber what computers i already got a sitekey?
what if i log in from home, get a sitekey, and then a month later get an email at work, click on it, and get to the bank site. now i dont see a sitekey. how do i know if its a scum or not?
Posted by (1 comment )
Reply Link Flag
Yeah, right genious
You are going to guess what I put under the picture of a teddy bear? One in quadrillion chances. LOL.
Posted by WJeansonne (480 comments )
Reply Link Flag
Bank of America will not supply an email address or contact for reporting phishing scams...a sophisticated new one arrived today which I have tried to report. If they are not able to stay on top of the latest scams; then how can we trust them with our business???
Posted by garyinwintersca (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.