Bank of America's SiteKey scrutinized

It's impossible to introduce a security product without having it scrutinized. Bank of America's SiteKey, designed to protect its online banking customers, is no exception.

SiteKey's image and text checks are designed to let people know they are on an authentic Bank of America Web site and also to verify the identity of the customer. The system, announced Thursday, is being introduced state by state and should be nationwide year's end.

Worried that SiteKey may be vulnerable to a so-called man-in-the-middle attack or leak information, readers commented on Thursday's story on the Web site and on Full Disclosure, a security mailing list.

Mark Goines, chief marketer for PassMark Security, supplier of the technology behind SiteKey to Bank of America, said a man-in-the-middle attack is not possible. SiteKey uses a "secure cookie" to link a user's PC to the Bank of America Web site. The cookie can only be read by a server with a specific security certificate and not by a malicious Web site set up by an attacker in such an attack, Goines said.

The other reader concern was that SiteKey would make it easy to confirm whether a user ID is registered with the bank. The service displays a security question selected by the user after entering a valid user name.

That in fact is possible, Goines said. But all the attacker would have is a user name, that alone does not give access to the account, he pointed out. The next step in the sign-on procedure is answering the security question. After that the system will ask the user for his passcode.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

The WRT1900ACS is Linksys' new best Wi-Fi router to date

CNET editor Dong Ngo compares the new WRT1900ACS and the old WRT1900AC Wi-Fi routers from Linksys. Find out which one is better!

by Dong Ngo