Nearly 20 million Bank of America users now see a corny picture when they log in to their online banking service: violins, a bridge with swans underneath, chocolate, a tea kettle or mountain vistas, to name a few. Consumers choose this picture – their SiteKey -- and keep it a secret so they can tell they are at the right site when moving around money.
The images are an anti-phishing measure, designed to stop criminals from creating look-alike Web pages that dupe consumers into divulging critical banking information. After all, phishers who create the fake sites have no way of knowing if you have a kettle or a basket of flowers on your Bank of America page.
Despite its corniness, consumers seem to like the feature, according to a recent survey by security consulting firm Gartner. Unfortunately, it does little to protect consumers' money, according to Avivah Litan, who will publish her findings in an upcoming report obtained by MSNBC.com. In it, Litan writes that the system "fosters consumer confidence but cannot be wholly relied upon to effectively reduce fraud."
Bank of America's enhanced security is being watched closely by analysts and other banks because every financial institution is facing a December 2006 deadline to add new online bank security features. Last year, the Federal Financial Institutions Examination Council – a group of federal banking regulators -- mandated that user names and passwords were not enough to protect online accounts and called for implementation of stronger security measures.
The recommendation came after years of losses directly related to phishing and online banking. Gartner's survey indicated that Internet data theft was responsible for $2.7 billion in banking losses during 2005.
Litan expects a flurry of activity during the next two months as banks and credit unions rush to comply with the order. Perhaps 20 percent to 30 percent of banks will implement a BofA-style solution, she said. That's why it's important to be clear about what SiteKey can and cannot do.
One year ago, Bank of America started rolling out a host of new security features -- the SiteKey picture is only the most obvious. Bank of America also places a cookie on visitors' computers to perform what's called PC recognition. If a user later tries to log in from an unfamiliar machine, the site asks what are sometimes called "out of wallet" questions, such as "What was your first pet's name?" or "Where were you born?"
The new routine does make life harder for the phisher, Litan said. Even if a consumer falls for a phishing e-mail and gives away their user name and password, that information is no longer enough to steal from the Bank of America online site. Such criminals would attempt to steal from the bank using an unfamiliar computer, and they would then be asked the questions. That means the SiteKey system has raised the bar, Litan said.
"You can't just do a regular phishing attack against a B of A customer," she said. "You can't just collect 10,000 passwords and try them all now."
Criminals can, however, trick consumers into supplying the answers to the questions.
Security professionals call such a ruse a "man-in-the-middle" attack. A criminal sets up a fake site, gets the user to log in, then relays the login to Bank of America. The consumer does not know he or she is working through a middle man.
Later, when the bank asks the hacker one of those tricky questions, the criminal just relays that to the legitimate user. Bank of America's new system does nothing to stop such an attack, Litan said.
"That's why you can't rely on it," she said.
While man-in-the-middle attacks are rare today, hackers are hard at work building tools that simplify them, she said -- much as they built software kits that automated the creation of phishing sites.
"Those kind of attacks are coming," Litan said.
Bank of America spokeswoman Betty Reiss would not say if SiteKey has been successful at slowing fraud, but she said the firm never intended for it to be a fail-safe solution.
"It's part of a multipronged approach," she said. "We never looked at it as a sole solution. There are things we do on our side that we don't go into for security reasons. But we have other security measures in place."
The rollout of SiteKey began last year, but the system wasn't available nationwide until spring, Reiss said. Despite an initial surge in customer-support calls, the new procedure has been well-received by consumers. In Litan's survey of 5,000 customers, 70 percent said SiteKey influenced their decision to do more banking chores online.
Other banks, such as ING Direct, have added challenge questions and PC recognition to their security procedures in recent months.
Those systems are also vulnerable to man-in-the-middle attacks, said Litan.
Other flaws seen
And there are other flaws to these systems, she said. Challenge questions can fluster families sharing a single computer. ("Honey, where did you go to high school?") Some consumers use software that deletes cookies, which foils the Web site's ability to recognize the correct PC. Some questions can be tricky to answer correctly because computers can be too literal -- those who attended St. Patrick High School may enter Saint Patrick High School on a subsequent visit and be denied access.
Consumers are also subject to denial-of-service attacks that would prevent them from accessing their money. Phishing e-mails that steal a Bank of America customer's user name are sill easy to craft. A malicious hacker could then intentionally fail to log in to the user's account three times; after which the system locks out the user.
And the presence of a picture on the correct Bank of America site does nothing to stop consumers from falling for a phishing site with no picture -- unless that consumer is attuned to their kettle or basket of flowers.
Amir Orad, spokesman for RSA Security, which makes the Bank of America SiteKey software, didn't dispute Litan's assertions about the weakness of individual parts of the new security system. But he said Litan was not privy to additional security features the company uses to make the online banking site safe.
"SiteKey as authentication by itself is not enough," he said. "You have to employ layered security. You have to have both the visible and the invisible."
Orad refused to discuss details of these invisible security measures at Bank of America, but he agreed to talk generally about RSA products sold to several banks. For some clients, software detects unusual transactions and instructs a computer to call the consumer connected to the account and ask for verbal confirmation, he said. Credit card users are familiar with such phone calls.
Taken together, SiteKey security and other tools from RSA have had great success limiting fraud, Orad said.
"We have deployments at dozens of banks, and the average is an 80 percent reduction in online fraud," said. He declined to provide additional details, citing confidentiality agreements with the banks.