Nearly 20 million Bank of America users now see a corny picture when they log in to their online banking service: violins, a bridge with swans underneath, chocolate, a tea kettle or mountain vistas, to name a few. Consumers choose this picture – their SiteKey -- and keep it a secret so they can tell they are at the right site when moving around money.

The images are an anti-phishing measure, designed to stop criminals from creating look-alike Web pages that dupe consumers into divulging critical banking information. After all, phishers who create the fake sites have no way of knowing if you have a kettle or a basket of flowers on your Bank of America page.

Despite its corniness, consumers seem to like the feature, according to a recent survey by security consulting firm Gartner. Unfortunately, it does little to protect consumers' money, according to Avivah Litan, who will publish her findings in an upcoming report obtained by MSNBC.com. In it, Litan writes that the system "fosters consumer confidence but cannot be wholly relied upon to effectively reduce fraud."

Bank of America's enhanced security is being watched closely by analysts and other banks because every financial institution is facing a December 2006 deadline to add new online bank security features. Last year, the Federal Financial Institutions Examination Council – a group of federal banking regulators -- mandated that user names and passwords were not enough to protect online accounts and called for implementation of stronger security measures.

The recommendation came after years of losses directly related to phishing and online banking. Gartner's survey indicated that Internet data theft was responsible for $2.7 billion in banking losses during 2005.

Litan expects a flurry of activity during the next two months as banks and credit unions rush to comply with the order. Perhaps 20 percent to 30 percent of banks will implement a BofA-style solution, she said. That's why it's important to be clear about what SiteKey can and cannot do.

One year ago, Bank of America started rolling out a host of new security features -- the SiteKey picture is only the most obvious. Bank of America also places a cookie on visitors' computers to perform what's called PC recognition. If a user later tries to log in from an unfamiliar machine, the site asks what are sometimes called "out of wallet" questions, such as "What was your first pet's name?" or "Where were you born?"

The new routine does make life harder for the phisher, Litan said. Even if a consumer falls for a phishing e-mail and gives away their user name and password, that information is no longer enough to steal from the Bank of America online site. Such criminals would attempt to steal from the bank using an unfamiliar computer, and they would then be asked the questions. That means the SiteKey system has raised the bar, Litan said.

"You can't just do a regular phishing attack against a B of A customer," she said. "You can't just collect 10,000 passwords and try them all now."

Criminals can, however, trick consumers into supplying the answers to the questions.

'Man-in-the-middle' attack

Security professionals call such a ruse a "man-in-the-middle" attack. A criminal sets up a fake site, gets the user to log in, then relays the login to Bank of America. The consumer does not know he or she is working through a middle man.

Later, when the bank asks the hacker one of those tricky questions, the criminal just relays that to the legitimate user. Bank of America's new system does nothing to stop such an attack, Litan said.

"That's why you can't rely on it," she said.

While man-in-the-middle attacks are rare today, hackers are hard at work building tools that simplify them, she said -- much as they built software kits that automated the creation of phishing sites.

"Those kind of attacks are coming," Litan said.

Bank of America spokeswoman Betty Reiss would not say if SiteKey has been successful at slowing fraud, but she said the firm never intended for it to be a fail-safe solution.

"It's part of a multipronged approach," she said. "We never looked at it as a sole solution. There are things we do on our side that we don't go into for security reasons. But we have other security measures in place."

The rollout of SiteKey began last year, but the system wasn't available nationwide until spring, Reiss said. Despite an initial surge in customer-support calls, the new procedure has been well-received by consumers. In Litan's survey of 5,000 customers, 70 percent said SiteKey influenced their decision to do more banking chores online.

Other banks, such as ING Direct, have added challenge questions and PC recognition to their security procedures in recent months.

Those systems are also vulnerable to man-in-the-middle attacks, said Litan.

Other flaws seen

And there are other flaws to these systems, she said. Challenge questions can fluster families sharing a single computer. ("Honey, where did you go to high school?") Some consumers use software that deletes cookies, which foils the Web site's ability to recognize the correct PC. Some questions can be tricky to answer correctly because computers can be too literal -- those who attended St. Patrick High School may enter Saint Patrick High School on a subsequent visit and be denied access.

Consumers are also subject to denial-of-service attacks that would prevent them from accessing their money. Phishing e-mails that steal a Bank of America customer's user name are sill easy to craft. A malicious hacker could then intentionally fail to log in to the user's account three times; after which the system locks out the user.

And the presence of a picture on the correct Bank of America site does nothing to stop consumers from falling for a phishing site with no picture -- unless that consumer is attuned to their kettle or basket of flowers.

Amir Orad, spokesman for RSA Security, which makes the Bank of America SiteKey software, didn't dispute Litan's assertions about the weakness of individual parts of the new security system. But he said Litan was not privy to additional security features the company uses to make the online banking site safe.

"SiteKey as authentication by itself is not enough," he said. "You have to employ layered security. You have to have both the visible and the invisible."

Orad refused to discuss details of these invisible security measures at Bank of America, but he agreed to talk generally about RSA products sold to several banks. For some clients, software detects unusual transactions and instructs a computer to call the consumer connected to the account and ask for verbal confirmation, he said. Credit card users are familiar with such phone calls.

Taken together, SiteKey security and other tools from RSA have had great success limiting fraud, Orad said.

"We have deployments at dozens of banks, and the average is an 80 percent reduction in online fraud," said. He declined to provide additional details, citing confidentiality agreements with the banks.

There's small print, there's fine print, and then there's mouseprint.

Until a few weeks ago, I had never heard the term mouseprint. Silly me. It's standard terminology in the marketing world. The name says it all. Mouseprint is legalese so small that it can only be read by someone the size of a mouse. Since English-speaking mice really are quite rare, you have to wonder how companies get away with it.

Now, there's a new Web site that's going to help you fight back. Consider it a magnifying glass for mouseprint.

I'm sure you've noticed this disturbing trend in marketing: The inverse relationship between the importance of the information and the size of the font used.

"Online trades as low as $9.95*" the advertisement screams. "With account balances of $1 million or more," it whispers. I call the asterisk the 27th letter on the American alphabet, it's become so common.

I blame technology. Without laser printers capable of rendering print that's half-point size or smaller, mouse print would be impossible. We'd be stuck with, at worst, cat print or perhaps kitten print.

Alas, technology is hard to stop. Impressively, Xerox just announced printing technology so advanced it can render characters on paper that are 1/100th of an inch. The technology is supposed to be used to prevent counterfeiting, but imagine the fun marketing companies will have with it! Even literate mice won't be able to help you with what might be called nano-print.

Perhaps its invention explains a disturbing trend that I call a "widowed asterisk." The asterisk appears next to the big words with the big claims, but the companion fine print somehow never gets into the ad. I had assumed it was a convenient printing error; but perhaps this new, nano-print is the culprit.

A mouseprint magnifying glass

The small print landscape does look bleak for consumers, but take heart. Someone has invented a mouseprint magnifying glass.

Tireless consumer advocate Edgar Dworsky recently launched a new Web site named Mouseprint.org, where he's taking on the ever-more-absurd claims and disclaimers in the world of advertising.

If it weren't so sad, Mouseprint.org would be a laugh-riot.

Here's a taste: New England-area car dealers have taken to advertising new car prices so low you'd think Detroit was in the middle of some kind of financial crisis. A brand-new $21,000 car, for example, was recently listed in an ad for $9,500. How can they do that? Is it aggressive employee pricing? Some fabulous new rebate program?

Nope. The price assumes a $7,500 down payment on the car. Consider it a rebate, only you have to pay it.

This one's a bit tricky, so let me explain by example. Let's say you go to the store to buy a gallon of milk. You expect it to cost $3, but the sign on the shelf says $2. This, you figure, is your lucky day. But when you get to the checkout counter, the cashier asks you for a dollar before ringing up your purchase.

"You have to pay $1 to get the $2 price," she explains.

Is that clear? If it's not, you'd better catch on quick. Down-payment-reduced-pricing labels are all the rage around Boston, where Dworsky lives. Advertising is a game of copycat, so as soon as one retailer gets away with some crazy new scheme, the others follow suit. Who wants to be the last dealer advertising the actual price people will pay for a car?

Dworsky's site is full of such gems: The online broker's claim that trades cost under $10 when the offer is actually limited to millionaires. Or the car manufacturer's purchase satisfaction program, which allows consumers to return a new car within 30 days but charges fees that add up to $2,000 or more. Or the bank credit card that promises rebates of up to $250 each year – 3 cents at a time. Only customers who make 8,333 separate purchases every year (that's 22.8 purchases every day of the year, including Christmas) can qualify for the maximum.

Dworsky spent nearly a decade working in the Massachusetts attorney general's office chasing down false advertising, so he knows the games advertisers play inside and out.

But it's sad a site like Mouseprint.org is necessary. After all, aren't there government agencies charged with enforcing truth in advertising rules?

Not really.

'No one is watching'

"Clearly, no one is watching," Dworsky said. "It's not like they are suing anyone or collecting fines."

Dworsky notes that the Federal Trade Commission is charged with bringing national cases against misleading marketers, but only brings a handful of cases each year. Most state attorney general offices have marketing specialists in their office of consumer affairs, but their vigilance varies by state and most will only act on consumer complaints. The Better Business Bureau has a national advertising bureau, but its work generally consists of participating companies tattling on each other.

Of course, there is no such thing as prescreening of advertisements for fairness and accuracy. And you wouldn't want that -- it would stifle free speech. On the other hand, every schoolchild knows free speech is not an absolute right. You can't scream 'Fire!" in a crowded theater, and companies have no right to deceptive free speech.

You would imagine there are government officials out there who see the world like you and I do, who spot these obvious transgressions and do something about it before consumers get hurt. Some state offices do just that, Dworsky says.

"If I saw a problem, I would call up the director of advertising at retailer and say, 'What's this claim?' 'Do you have substantiation?' I knew most of them by name," he said. There are still some states that proactively monitor ads, he said, but not nearly enough. For proof of that, simply open a newspaper or watch television. It seems that, in the world of advertising, just about anything goes.

There is something consumers can do about this sorry state of affairs, however.

Complain.

Complaining to your state attorney general's office may be far more effective than you realize. No government agency will act on a single complaint. But you'd be surprised how few complaints can get the attention of your state's top cop.

"We had a list we called the 'Five or more list," Dworsky said. "If there were more than five complaints against a company, it made the list," he said. That didn't always lead to legal action, but the list did get the attention of the consumer practices people. Often, a simple phone from the attorney general's office can work wonders. It can also stop copycats before they start.

Dworsky's site now offers consumers a second place to complain. If you can't get your state's office to act against a misleading advertiser, you can at least embarrass the marketer by forwarding the small print to Dworsky's site. You'll get some satisfaction, and perhaps you'll keep another consumer from biting the cheese in one of those mouseprint traps.

For nearly two years, Americans have been inundated with stories about lost and stolen data. Company after company, organization after organization has been forced to apologize to consumers. Some estimates say 90 million Americans have been warned that their personal information has been placed at risk.

At the same time, our federal government has initiated numerous security projects that some consider a threat to personal privacy. Federal agents have mined massive databases of telephone calls, looking for patterns that might reveal terrorists at work. International phone calls have been monitored. There have even projects designed to mine vast commercial databases -- list of credit card purchases, for example -- to spot potential plots.

The common thread among these topics is personal privacy. To be sure, privacy is an elusive topic. But with a privacy survey we are launching today, we hope to bring the topic into sharper focus.

In other surveys, the majority of Americans say they are very concerned about their privacy. But when asked, many have difficulty defining privacy.

And there is ample evidence that for many people, their words and actions conflict. Consumers readily trade their privacy for small discounts at grocery stores, for example. Privacy economist Alessandro Acquisti, a professor at Carnegie Mellon University, has performed repeated studies showing U.S. consumers will readily trade personal information for as little as a 50-cent coupon.

Another privacy researcher, Larry Ponemon of The Ponemon Institute, has found that only about 7 percent of U.S. citizens care enough about their privacy to actually change their behavior -- to shop only at grocery stores without loyalty card programs or forgo the discounts offered by signing up for EZPass electronic toll collection.

With corporate databases of personal information growing ever larger, and security concerns weighing ever more, a robust national conversation about privacy seems more essential than ever. At MSNBC.com, we are beginning a special project that will explore the fundamental issues in the privacy debate. And with your permission and participation, we also will share our readers' opinions on the topic.

The project starts today, with the launch of our privacy survey, developed in consultation with Ponemon. We ask that you take 10 minutes to complete the questionnaire, which includes about 20 multiple choice questions and two open-ended questions. Then next month, we'll report back to you with our findings.

Please take a moment now to complete the survey. Naturally, we will not be able to deliver the final word on the subject of privacy. But with any luck, and with your help, we'll be able to advance the dialogue on this critical subject at this crucial time in our nation's history.

Click here to take the survey

You know the jingle if you've ever watched late-night television: "Free ... Credit Report DOT com."

What you might not know is this: There's nothing free about FreeCreditReport.com. Like so many other come-ons you hear on late-night TV, you just can't trust that word "free."

I'll explain the Web site's misleading advertisements in a moment, but first, here's what you really need to know: When you want to see your credit report, you want to use AnnualCreditReport.com. There, you can actually get your credit report for free. Congress gave you the right to see your report every year for free, so there's no reason to visit any pay sites – like FreeCreditReport.com – to plunk down money for it.

In fact, this month marks the one-year anniversary of the liberation of your credit report by Congress. In September 2005, every consumer in America was granted the right to obtain a free copy of his or her credit report every year.

If you obtained your free credit report at this time last year, here's a reminder that you can get a fresh version now at AnnualCreditReport.com.

Also one year ago, credit bureau Experian was also slapped on the wrist by the Federal Trade Commission for misleading consumers at its FreeCreditReport.com Web site. The FTC said Experian didn't make clear to consumers that they would be charged $79 for an annual subscription after they signed up at FreeCreditReport.com.

What the FTC didn't say (but was abundantly clear to anyone with a brain) was that FreeCreditReport.com and Experian were benefiting from confusion over news stories telling consumers were entitled to a free copy of their credit report every year. And the site was designed to add to the confusion.

While not admitting wrongdoing, Experian agreed last August to give consumers refunds and make the terms of its product clearer. One year later, how is the company doing? The television ads are as misleading as ever. On the other hand, the Web site itself is improved, with a disclaimer featured fairly prominently. But it would be a stretch to say the terms are clear, the price is clear and consumers are being treated fairly.

Given all the confusion, and the legal action, it's amazing that FreeCreditReport.com is allowed to continue operating. I know it continues to cause mix-ups. Earlier this year, during the hubbub about the missing Veterans Administration laptop, I heard experts testifying before Congress point to the wrong site by accident. In April, an ID theft expert speaking to students in Tacoma, Wash., pointed the teenagers to the wrong site, and was quoted in the local Tacoma News Tribune. The newspaper was flooded with complaints. Here's what those readers were complaining about:

The television ad
"I'm thinking of a number ...," the smiling host says in one version of the FreeCreditReport.com television advertisement. He sits director-style on a chair, then brags about how high his number is -- his credit score -- and how much money it saves him when he gets a new card loan or mortgage. Nothing misleading there: A good credit score is good for you.

But the advertisement shows the word free repeatedly, and the host says it. There is no indication of any cost. In fact, during the 30-second spot there is only one indication that there is a catch: a disclaimer, read at lightning-fast speed, in the commercial's final seconds as it fades to black.

"Free credit report requires enrollment in Triple Advantage."

The disclaimer is so short that I've seen occasions when it is cut off by a returning television program. But even when it plays in full, notice what isn't there: Any indication that FreeCreditReport.com costs money.

The Web site
The good news is consumers who are misled by the ads will encounter a relatively prominent warning when they go to the FreeCreditReport.com Web site to sign up

"When you order your free report here, you will begin your free trial membership in Triple AdvantageSM Credit Monitoring," it says. "If you don't cancel your membership within the 30-day trial period, you will be billed $12.95 for each month that you continue your membership."

The site also includes a link to the genuinely free site, AnnualCreditReport.com.

But even with that disclaimer, Experian's Web site is still designed to mislead. The disclaimer is written in small, light blue type on a dark blue background – hardly the choice of someone designing for clarity. And the print is understated compared to the huge "Get Yours Now" button on a white background in the center of the site. Once consumers click there, the chance to see the disclaimer is gone.

And even in the disclaimer -- right next to the link to the real free credit report site -- there is yet another link that says "Get your free credit report and credit score," which is a link to the form consumers fill out to buy the paid service. Click on that second link by accident and you find yourself on stuck the toll road instead of the free highway.

I could go on; but suffice to say that Experian's effort to comply with the FTC ruling looks like a minimal-effort homework assignment done by the most reluctant student in class, only after he was sent home with notes to his parents, then given a bad grade, then threatened with expulsion. It's just enough to keep the kid in school, but certainly not enough to earn a passing grade.

Millions have obtained their free credit report
Straightening out the free credit report mess is important. Millions of Americans are now aware that they must keep track of their credit report and score. New research from consulting firm Gartner indicates that nearly 50 million Americans say they've signed up for their free credit report, and that about another 40 million plan to. Those polled didn't indicate if they had used AnnualCreditReport.com or FreeCreditReport.com – or some other site -- to obtain their reports.

Researcher Avivah Litan, who derived the numbers from a recent poll, said that about 70 percent of American adults are aware of their right to obtain a free copy of their credit report, an incredibly high awareness rating. In fact, you'd have to call the marketing efforts around free credit reports a great success story.

Now, if we could just make sure all those people are going to the right site.

Have you noticed any other free products or services that aren't really free? Submit your ideas below.

Let's get one thing straight, once and for all: Looking at someone else's telephone records without permission is wrong. And illegal.

It is shocking that this basic, obvious conclusion has repeatedly escaped companies, debt collectors, law enforcement officials and, now, one of America's biggest and most respected companies. The story of Hewlett Packard's boardroom intrigue, which includes spying on directors' phone records, is a window into a dirty world that should have been cleaned up long ago.

To recap, HP Chairwoman Patricia Dunn was frustrated by leaks coming from another board member, evidenced by anonymous comments that were included in a story published by CNET.com back in January. To find the leaker, she ordered a secret review of board members' private telephone records. The company hired an outside investigative firm to obtain the records, which it did by using a method called "pretexting." Then, word came that investigators working for HP also obtained reporters' private phone records.

All last week, the story spun wider, with the California state attorney general, the U.S. Justice Department, and Congress all indicating they were investigating. Then on Tuesday, Dunn said she would step down as chairwoman early next year, and apologized for the incident. She indicated she would remain on the company's board of directors.

Dunn's resignation is hardly the end of the affair, however. That will only come when all of corporate America and all of the investigative underground comes to the basic realization that pretending to be someone else to obtain their private information is criminal identity theft.

Reading HP's official explanation for the incident, filed last week with the Securities and Exchange Commission, it's clear that message has not gotten through. The reasoning in the filing is abominable. Let me boil it down for you; Parents will recognize the excuse.

"But he said it was OK."

The twisted logic used to justify phone record theft shows why this decade-long attack on personal privacy, this dirty trick, remains so common after years of congressional hearings, dozens of attempts at legislation and a lot of public embarrassment.

By now, you've probably read several stories about "pretexting." Private investigators impersonate consumers and trick customer service representatives into divulging calling records and other personal information. The calls are placed using a false pretext -- hence the name.

Pretext callers become masters of disguise. Many know how to sound like a young woman, or an old man, in order to fool corporate answer desks. Sometimes, the trick is even easier. They just sign up for online billing access at a Web site. Often, all you need is a name and part of a Social Security Number.

Somehow, people who do this have become convinced that it might not be illegal. Clearly, HP was. Here's what its SEC filing said:

"After its review, the (Nominating and Governance) Committee determined that the third party retained by HP's outside consulting firm had in some cases employed pretexting. The committee was then advised by the committee's outside counsel that the use of pretexting at the time of the investigation was not generally unlawful (except with respect to financial institutions)."

I love the phrase "not generally unlawful." I will use that the next time I am pulled over for speeding.

Having written about pretexting for some five years, I know how these things go. Back when the inquisition began, someone at HP turned to a PI, who said he could get telephone records that would enable management to find out who had been talking to reporters. At some point, someone with a smidge of ethics asked, "But how do you get them?" and the investigator answered, "from publicly available sources." The conversation ended there.

Someone with a lot of ethics, however, wouldn't stand for that. Board member Tom Perkins resigned in May when he learned of the tactics used to obtain his phone records. His appeal to AT&T for information regarding anyone who looked at his phone records, and AT&T's response, are fascinating reading - courtesy of The Smoking Gun.

But one has to wonder why he was the only one to stand up at that moment. Kudos to Perkins; shame on everyone else in the room.

Consumers can sometimes be fooled into thinking that pretexting isn't specifically illegal -- that perhaps somewhere there is a legal public source for phone record data -- but the timing of this incident is important. The investigation occurred between January and May of this year. Throughout that time, there were numerous news stories in all the national newspapers and on the TV networks about Congress investigating the very behavior HP paid for. In December, a blogger had purchased Democratic presidential candidate Gen. Wesley Clark's cell phone records, starting a firestorm of news coverage. Nearly a dozen bills were introduced in Congress this spring to deal with the problem. A congressional inquiry uncovered embarrassing evidence that law enforcement officials had purchased records from Web brokers using pretext methods.

All that news makes it impossible to argue that directors at a high-tech firm would have no grasp of the fundamental issues at play.

As for the legal vagaries, there really aren't any. Lying about who you are to get access to computer records is a crime. It's hardly new; it's called social engineering in computer hacker circles. It may be clever, but it's wrong, and it's against the law. Hackers like Kevin Mitnik have been sent to jail for social engineering.

Viet Dinh, a former Bush administration Justice Department official, who has been retained as an attorney by Perkins, said HPs "we didn't know" defense is hard to believe.

"I think the prevalence of third party information often dupes an unwitting consumer to think that pretexted records are legal," he said. "But it is hard to see how HP could be unwitting here, when the company's chairwoman apparently custom ordered the fraud. Whether one analogizes the conduct to receiving stolen property or ordering a hit, it is still illegal."

Specifically, Dinh said he felt pretexting also ran afoul of the nation's Computer Fraud and Abuse Act, which makes computer hacking illegal.

"A pretext to obtain records stored on a computer is unauthorized access to that computer, so I think fits squarely within both the colloquial and legal definition of hacking," he said.

A criminal investigation into HP's pretexting has been opened, according to the California attorney general's office. Robert Morgester, deputy attorney general in California, said he couldn't discuss the case. But he agreed that pretexting is clearly illegal.

"If an individual was able to trick their way into a secure network ... through impersonation ... that's hacking by social engineering," he said. "The general rule of thumb is if you are getting into somebody else's network, you are committing a variety of crimes."

Morgester said pretexting could run afoul of two state laws: California's identity theft statutes, which make it illegal to use someone else's personal information to commit a crime, and the state's computer crime laws, which make unauthorized access to databases illegal.

The continued debate about pretexting's legality frustrates Rob Douglas, who operates PrivacyToday.com. Douglas has testified about a dozen times before Congress since 1998 about the problem of pretexting.

"I have absolutely no doubt that this is far more common than anyone wants to believe," Douglas said.

If there was any doubt about that, consider this: The California attorney general's office tells me it is currently investigating six "major" pretexting cases akin to the HP case. And if there's any doubt about the fragility of your personal information and the willingness of companies to abuse it, this story should relieve you of that doubt. If it can happen to a board member at HP, it can happen to you.