Bank of America's SiteKey scrutinized

It's impossible to introduce a security product without having it scrutinized. Bank of America's SiteKey, designed to protect its online banking customers, is no exception.

SiteKey's image and text checks are designed to let people know they are on an authentic Bank of America Web site and also to verify the identity of the customer. The system, announced Thursday, is being introduced state by state and should be nationwide year's end.

Worried that SiteKey may be vulnerable to a so-called man-in-the-middle attack or leak information, readers commented on Thursday's story on the Web site and on Full Disclosure, a security mailing list.

Mark Goines, chief marketer for PassMark Security, supplier of the technology behind SiteKey to Bank of America, said a man-in-the-middle attack is not possible. SiteKey uses a "secure cookie" to link a user's PC to the Bank of America Web site. The cookie can only be read by a server with a specific security certificate and not by a malicious Web site set up by an attacker in such an attack, Goines said.

The other reader concern was that SiteKey would make it easy to confirm whether a user ID is registered with the bank. The service displays a security question selected by the user after entering a valid user name.

That in fact is possible, Goines said. But all the attacker would have is a user name, that alone does not give access to the account, he pointed out. The next step in the sign-on procedure is answering the security question. After that the system will ask the user for his passcode.