kottke.org home archives + xml about kottke.org contact me
kottke.org - home of fine hypertext products

kottke.org posts about 'bankofamerica'

SiteKey sucks

I've used Bank of America to do my online banking in the past and their SiteKey "technology" always irritated the hell out of me because it led me to believe that Bank of America thought I was:

a) a criminal

and/or:

b) an idiot

instead of:

c) a customer

The basic idea behind SiteKey is that when you log in to your account, you're shown a photo of, say, an orange kitten before you enter your password so that you know you're not on the site of a phisher who knows nothing about your orange kitten but wants to collect your login info. In addition, the site makes you verify your identity with a security question -- like "what's your favorite food?" -- before using the site from a new IP address, which means if you're on a cable or DSL connection, this happens every couple weeks when your current IP expires...or whenever BofA feels like they should throw up another virtual pane of bulletproof glass between you and your account information. For those who don't fall for phishing scams -- by accessing sites directly through bookmarks or by typing URLs into the location bar -- SiteKey is nothing but an irritant and a deterrent and there's no way to switch it off.

On Tuesday, Christopher Soghoian and Markus Jakobsson published a clever method by which password phishers could get around SiteKey. The method takes advantage of a simple hole in the logic concerning SiteKey...that anyone who knows your account's login name and state of residence can see both your SiteKey image and any challenge questions, no password required. All the phisher has to do is ask for the login name and state of residence, send that info to the BofA site (via a script running on the phisher's machine), get back a security question, display that, send the answer to the BofA site, get back the correct SiteKey image, display that, and collect the person's password, all while presenting a nearly seamless Bank of America-like experience to the user.

Hopefully this gaping monster of a security hole will convince BofA that not only does SiteKey security not work, it's not even security and they'll soon be rid of it.

Apr 12, 2007    tags: bankofamerica security phishing

New feature from Bank of America: Keep the Change. When you use your bank card, you can have your charges rounded up to the nearest dollar and the difference automatically deposited into your savings account. I think this is the first neat thing I've ever seen a bank do. (via coudal)

Oct 26, 2005    tags: bankofamerica banking money
More about this page

kottke.org is a weblog about the liberal arts 2.0 edited by Jason Kottke since March 1998. You can read about me and kottke.org here. If you've got questions, concerns, or an interesting link for me, send them along. Here's the kottke.org RSS feed kottke.org RSS feed.

Advertisement

dot dot dot

Advertise on kottke.org via The Deck.

Looking for work? Tags, tags, tags!

Many posts on kottke.org have been "tagged" with keywords, which activity results in collections of related posts like sports, infoviz, or bestof.

Recently popular tags (last 3 weeks)

indianajones   walle   christopherhitchens   movies   parenting   video   photography   art   flying   time   design   space   nyc   china   pixar

All-time popular tags

movies   photography   books   nyc   science   food   lists   design   business   sports   video   weblogs   music   bestof   art

Some of my favorite tags

photography   economics   lists   bestof   infoviz   food   nyc   firstworldproblems   cities   restaurants   video   timelapse   interviews   language   maps   fashion   nsfw   remix  

Random tags

sunshine   prison   cities   barcade   marypoppins   lifeafterpeople   realestate   cars   fundraising   hosseinderakhshan   fridakahlo   sony   pentagram   movies   im

kottke.org

You're visiting kottke.org. All content by Jason Kottke (contact me) unless otherwise noted, with some restrictions on its use. Good luck will come to those who dig around in the archives. If you've reached this point by accident, I suggest panic.