As Internet scams proliferate, Bank of America is rolling out a double-edged system it says will better protect its online banking customers against phishing and spyware.
SiteKey's image and text checks let people know they are on an authentic Bank of America Web site and also verify the identity of the customer, the company said Wednesday. The features will be introduced first in Tennessee next month. They will then be expanded state-by-state to become available nationwide by year's end, said Sanjay Gupta, an electronic commerce executive at Bank of America.
Use of SiteKey will be optional at first, but will be required once the introduction is complete, Gupta said.
"We wanted to not only protect our customers, but give them a way to feel very safe that when they come to BankofAmerica.com that it really is BankofAmerica.com," he said.
The features are designed to combat phishing, spoofing and spyware--three common types of online attacks that are often used together. Phishing scams, which attempt to steal sensitive information such as user names and passwords, typically use fake Web pages "spoofed" to look like legitimate sites belonging to trusted providers. Spyware is malicious software that gets surreptitiously installed on a PC and spies on the user's actions.
In April, Bank of America's account holders were the target of a phishing attempt, according to an example documented by the Anti-Phishing Working Group. Gupta said the financial institution has 13.2 million online customers, the most of any U.S. bank.
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.
When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.
In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions. This should prevent abuse of an account even if attackers obtain the correct login credentials, Gupta said.
Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.
The technology for SiteKey is supplied by PassMark Security of Redwood City, Calif., Bank of America said.
The SiteKey features are valuable in helping maintain the confidence of consumers as they do online banking, said James Van Dyke of Javelin Strategy & Research, which publishes an annual report on identity fraud.
"This is definitely unique among large institutions," he said. "Consumers want increased mechanisms to ensuring safety."
Smaller organizations, in particular the Stanford Federal Credit Union, have preceded Bank of America in adopting more advanced security features, he said.
However, criminals don't stay within one channel, and there have been a number of high-profile data breaches, Van Dyke pointed out.
Recently several banks, including Bank of America, have had to inform tens of thousands of customers that their personal information may be at risk of fraud. The data was allegedly stolen by bank employees and sold to collection agencies by a middleman.
I feel this is a bad idea because it is very easy to confirm whether or not an Online ID is valid for the system.
All someone has to do is randomly submit a string of characters (representing an Online ID) to the system, and if a SiteKey image and message is returned, the system has just confirmed that the Online ID is valid.
Of course, the Challenge Question may be the next line of defense, but I have typically found those types of questions to be trivial and can be easily guessed.
i looked at the the explanation on the bank site (www.bankofamerica.com/privacy/passmark) and i think its confusing on the one hand they ask me to cehck I see the correct sitekey before i enter my details on the other hand they say that if i login from a diff computer, they will nto show me the sitekey but they will ask me for secret "confirmation questions" questions how can i tell what to expect? how do i rememeber what computers i already got a sitekey? what if i log in from home, get a sitekey, and then a month later get an email at work, click on it, and get to the bank site. now i dont see a sitekey. how do i know if its a scum or not?
Bank of America will not supply an email address or contact for reporting phishing scams...a sophisticated new one arrived today which I have tried to report. If they are not able to stay on top of the latest scams; then how can we trust them with our business???
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
All someone has to do is randomly submit a string of characters (representing an Online ID) to the system, and if a SiteKey image and message is returned, the system has just confirmed that the Online ID is valid.
Of course, the Challenge Question may be the next line of defense, but I have typically found those types of questions to be trivial and can be easily guessed.
on the one hand they ask me to cehck I see the correct sitekey before i enter my details
on the other hand they say that if i login from a diff computer, they will nto show me the sitekey but they will ask me for secret "confirmation questions" questions
how can i tell what to expect?
how do i rememeber what computers i already got a sitekey?
what if i log in from home, get a sitekey, and then a month later get an email at work, click on it, and get to the bank site. now i dont see a sitekey. how do i know if its a scum or not?