Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, May 26, 2005

Bank of America takes on cyberscams

As Internet scams proliferate, Bank of America is rolling out a double-edged system it says will better protect its online banking customers against phishing and spyware.

SiteKey’s image and text checks let people know they are on an authentic Bank of America Web site and also verify the identity of the customer, the company said Wednesday.  The features will be introduced first in Tennessee next month.

They will then be expanded state-by-state to become available nationwide by year’s end, said Sanjay Gupta, an electronic commerce executive at Bank of America.  Use of SiteKey will be optional at first, but will be required once the introduction is complete, Gupta said.  “We wanted to not only protect our customers, but give them a way to feel very safe that when they come to that it really is,” he said.

The features are designed to combat phishing, spoofing and spyware—three common types of online attacks that are often used together.  Phishing scams, which attempt to steal sensitive information such as user names and passwords, typically use fake Web pages “spoofed” to look like legitimate sites belonging to trusted providers.  Spyware is malicious software that gets surreptitiously installed on a PC and spies on the user’s actions.

In April, Bank of America’s account holders were the target of a phishing attempt, according to an example documented by the Anti-Phishing Working Group.  Gupta said the financial institution has 13.2 million online customers, the most of any U.S. bank.

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account.  When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said.  This verifies that the user is in fact on the real Bank of America Web site, he said.

In another feature, SiteKey links the customer’s PC to the online banking service.  If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions.  This should prevent abuse of an account even if attackers obtain the correct login credentials, Gupta said.  Additional PCs, such as an office computer, can be linked to the bank’s Web site so a customer doesn’t have to keep answering challenge questions.

The technology for SiteKey is supplied by PassMark Security of Redwood City, Calif., Bank of America said.  The SiteKey features are valuable in helping maintain the confidence of consumers as they do online banking, said James Van Dyke of Javelin Strategy & Research, which publishes an annual report on identity fraud.  “This is definitely unique among large institutions,” he said.  “Consumers want increased mechanisms to ensuring safety.”

Smaller organizations, in particular the Stanford Federal Credit Union, have preceded Bank of America in adopting more advanced security features, he said.

Posted on 05/26