Want CNET to notify you of price drops and the latest stories?

Bank of America takes on cyberscams

Introduces security features designed to protect online banking customers against phishing, spoofing and spyware.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
As Internet scams proliferate, Bank of America is rolling out a double-edged system it says will better protect its online banking customers against phishing and spyware.

SiteKey's image and text checks let people know they are on an authentic Bank of America Web site and also verify the identity of the customer, the company said Wednesday. The features will be introduced first in Tennessee next month. They will then be expanded state-by-state to become available nationwide by year's end, said Sanjay Gupta, an electronic commerce executive at Bank of America.

Use of SiteKey will be optional at first, but will be required once the introduction is complete, Gupta said.

"We wanted to not only protect our customers, but give them a way to feel very safe that when they come to BankofAmerica.com that it really is BankofAmerica.com," he said.

The features are designed to combat phishing, spoofing and spyware--three common types of online attacks that are often used together. Phishing scams, which attempt to steal sensitive information such as user names and passwords, typically use fake Web pages "spoofed" to look like legitimate sites belonging to trusted providers. Spyware is malicious software that gets surreptitiously installed on a PC and spies on the user's actions.

In April, Bank of America's account holders were the target of a phishing attempt, according to an example documented by the Anti-Phishing Working Group. Gupta said the financial institution has 13.2 million online customers, the most of any U.S. bank.

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.

In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions. This should prevent abuse of an account even if attackers obtain the correct login credentials, Gupta said.

Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.

The technology for SiteKey is supplied by PassMark Security of Redwood City, Calif., Bank of America said.

The SiteKey features are valuable in helping maintain the confidence of consumers as they do online banking, said James Van Dyke of Javelin Strategy & Research, which publishes an annual report on identity fraud.

"This is definitely unique among large institutions," he said. "Consumers want increased mechanisms to ensuring safety."

Smaller organizations, in particular the Stanford Federal Credit Union, have preceded Bank of America in adopting more advanced security features, he said.

However, criminals don't stay within one channel, and there have been a number of high-profile data breaches, Van Dyke pointed out.

Recently several banks, including Bank of America, have had to inform tens of thousands of customers that their personal information may be at risk of fraud. The data was allegedly stolen by bank employees and sold to collection agencies by a middleman.