Bank Of America Offers Authentication Plan To Battle Online Scams
The new service relies on two-way authentication to battle thieves who try to steal information by posing as a bank's legitimate site.
Bank of America Corp. on Thursday unveiled a free online authentication service, SiteKey, designed to thwart some of today's Internet scams, including ones in which customers think they're entering data on a bank's site but are actually on a thief's site built to steal data.
The service verifies the authenticity of both a customer's identity and the bank's Web-site address. The service will launch in Tennessee in mid-June and will be rolled out across the country by year's end and required for all accounts.
The system, which was developed in collaboration with security software vendor PassMark Security Inc., relies on a form of security known as two-factor authentication, in which access is granted based on something customers have (in this case, a particular computer) and something they know (a password). When enrolling for the SiteKey service, customers select an image from a library of images, write a brief phrase, and select three challenge questions. Thereafter, whenever they attempt to sign on to online banking, the image and phrase are displayed on their screen--indicating that the bank recognizes their computer, and telling the customer the site is really the bank's. They then enter their password and proceed as normal.
If customers wish to sign on from a computer other than the one they used when enrolling in SiteKey, they must first answer one of the challenge questions before being allowed to enter their password. They're then given the option of authorizing that computer to be recognized by SiteKey in the future.
The image and challenge questions provide assurance that the customer is indeed on the bank's site, not on some phony Web site, which customers can end up on by clicking on a fake E-mail sent to look like a bank's. (The scam is referred to as phishing.) Even if a customer's ID and password were stolen, the thief would still need to know the answers to the challenge questions.
"With SiteKey, we are taking an extra step to provide peace of mind for our 13.2 million online banking customers," says Sanjay Gupta, an E-commerce executive at Bank of America.
The system removes some of the economies of scale from phishing attacks, in which thieves send out millions of spam E-mails in hopes of harvesting IDs and passwords. "The business model of phishing is it's a numbers game," says Gupta. With SiteKey, "they would need to have your image as well as your ID and password."
The SiteKey service is "unique and very effective," says TowerGroup analyst George Tubin. A number of banks have adopted other approaches to combat spoofing and phishing, such as offering customers toolbars that detect whether a Web site is authentic.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.