- Related Stories
-
Phishers get personal
May 26, 2005 -
More arrests promised in bank data theft
May 23, 2005
SiteKey's image and text checks let people know they are on an authentic Bank of America Web site and also verify the identity of the customer, the company said Wednesday. The features will be introduced first in Tennessee next month. They will then be expanded state-by-state to become available nationwide by year's end, said Sanjay Gupta, an electronic commerce executive at Bank of America.
Use of SiteKey will be optional at first, but will be required once the introduction is complete, Gupta said.
"We wanted to not only protect our customers, but give them a way to feel very safe that when they come to BankofAmerica.com that it really is BankofAmerica.com," he said.
The features are designed to combat phishing, spoofing and spyware--three common types of online attacks that are often used together. Phishing scams, which attempt to steal sensitive information such as user names and passwords, typically use fake Web pages "spoofed" to look like legitimate sites belonging to trusted providers. Spyware is malicious software that gets surreptitiously installed on a PC and spies on the user's actions.
In April, Bank of America's account holders were the target of a phishing attempt, according to an example documented by the Anti-Phishing Working Group. Gupta said the financial institution has 13.2 million online customers, the most of any U.S. bank.
Have you been phished?
When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.
In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions. This should prevent abuse of an account even if attackers obtain the correct login credentials, Gupta said.
Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.
The technology for SiteKey is supplied by PassMark Security of Redwood City, Calif., Bank of America said.
The SiteKey features are valuable in helping maintain the confidence of consumers as they do online banking, said James Van Dyke of Javelin Strategy & Research, which publishes an annual report on identity fraud.
"This is definitely unique among large institutions," he said. "Consumers want increased mechanisms to ensuring safety."
Smaller organizations, in particular the Stanford Federal Credit Union, have preceded Bank of America in adopting more advanced security features, he said.
However, criminals don't stay within one channel, and there have been a number of high-profile data breaches, Van Dyke pointed out.
Recently several banks, including Bank of America, have had to inform tens of thousands of customers that their personal information may be at risk of fraud. The data was allegedly stolen by bank employees and sold to collection agencies by a middleman.
See more CNET content tagged:
Bank of America Corp., online banking, cyberscam, phishing, bank
All someone has to do is randomly submit a string of characters (representing an Online ID) to the system, and if a SiteKey image and message is returned, the system has just confirmed that the Online ID is valid.
Of course, the Challenge Question may be the next line of defense, but I have typically found those types of questions to be trivial and can be easily guessed.
on the one hand they ask me to cehck I see the correct sitekey before i enter my details
on the other hand they say that if i login from a diff computer, they will nto show me the sitekey but they will ask me for secret "confirmation questions" questions
how can i tell what to expect?
how do i rememeber what computers i already got a sitekey?
what if i log in from home, get a sitekey, and then a month later get an email at work, click on it, and get to the bank site. now i dont see a sitekey. how do i know if its a scum or not?
- by garyinwintersca November 2, 2009 5:55 PM PST
- Bank of America will not supply an email address or contact for reporting phishing scams...a sophisticated new one arrived today which I have tried to report. If they are not able to stay on top of the latest scams; then how can we trust them with our business???
- Like this Reply to this comment
-
(7 Comments)