Photos to Fight Phishing?
In a bid to stave off phishing attacks, Bank of America is offering a new service that allows online customers to verify that they are indeed at the bank's official site by displaying an image that the customer supplies in advance.
The free service, called SiteKey and developed by Passmark Security of Redwood City, Calif., lets customers pick any image they have, then write a brief phrase and select three "challenge questions." When the customer next visits bankofamerica.com and enters a username, clicking on the SiteKey button displays their chosen image, embedded in the bank's site. Customers are prompted to answer one of the challenge questions if they want to access their account from a different computer.
I wrote about Passmark in a story back in March on the fledgling industry springing up to help banks and e-commerce companies quash phishing scams.
Bank of America says it has the most online banking customers of any bank in the nation -- roughly 13.2 million of them. But that magnitude has also made it an attractive target for phishing attacks. Just last month, the company was the victim of a particularly sneaky exploit that leveraged a design flaw in bankofamerica.com to redirect victims to an identical but fake site operated by scammers waiting to steal login data.
Bank of America spokesperson Betty Riess said the company plans to introduce SiteKey in Tennessee in mid-June, with other states joining the roll-out over the following few months. The service is voluntary, but Riess said the company plans to make it mandatory for all online customers sometime this fall. If so, it would be the first major U.S. bank to require such customers to use something other than a username and password to access their accounts online.
In a related development, security researchers at the University of California at Berkeley are backing a new extension for the Mozilla Firefox Web browser that would do essentially the same thing as SiteKey, except that it would theoretically allow Firefox users to login at multiple secure Web sites with the same image.
Posted by: Robert | May 27, 2005 3:51 PM | Report abuse
Posted by: Katherine | May 27, 2005 4:53 PM | Report abuse
Posted by: Earthquake McGoon | May 31, 2005 10:33 AM | Report abuse
Posted by: bruce | June 1, 2005 10:55 AM | Report abuse
Posted by: Researcher | July 20, 2005 6:54 PM | Report abuse
Posted by: Louie | December 19, 2005 7:24 PM | Report abuse
Posted by: Arlen | December 31, 2005 12:35 PM | Report abuse
Posted by: brent | February 9, 2006 3:59 AM | Report abuse
The comments to this entry are closed.