Bank of America Corp. on Thursday unveiled a free online authentication service, SiteKey, designed to thwart some of today's Internet scams, including ones in which customers think they're entering data on a bank's site but are actually on a thief's site built to steal data.
The service verifies the authenticity of both a customer's identity and the bank's Web-site address. The service will launch in Tennessee in mid-June and will be rolled out across the country by year's end and required for all accounts.
The system, which was developed in collaboration with security software vendor PassMark Security Inc., relies on a form of security known as two-factor authentication, in which access is granted based on something customers have (in this case, a particular computer) and something they know (a password). When enrolling for the SiteKey service, customers select an image from a library of images, write a brief phrase, and select three challenge questions. Thereafter, whenever they attempt to sign on to online banking, the image and phrase are displayed on their screen--indicating that the bank recognizes their computer, and telling the customer the site is really the bank's. They then enter their password and proceed as normal.
If customers wish to sign on from a computer other than the one they used when enrolling in SiteKey, they must first answer one of the challenge questions before being allowed to enter their password. They're then given the option of authorizing that computer to be recognized by SiteKey in the future.
The image and challenge questions provide assurance that the customer is indeed on the bank's site, not on some phony Web site, which customers can end up on by clicking on a fake E-mail sent to look like a bank's. (The scam is referred to as phishing.) Even if a customer's ID and password were stolen, the thief would still need to know the answers to the challenge questions.
"With SiteKey, we are taking an extra step to provide peace of mind for our 13.2 million online banking customers," says Sanjay Gupta, an E-commerce executive at Bank of America.
The system removes some of the economies of scale from phishing attacks, in which thieves send out millions of spam E-mails in hopes of harvesting IDs and passwords. "The business model of phishing is it's a numbers game," says Gupta. With SiteKey, "they would need to have your image as well as your ID and password."
The SiteKey service is "unique and very effective," says TowerGroup analyst George Tubin. A number of banks have adopted other approaches to combat spoofing and phishing, such as offering customers toolbars that detect whether a Web site is authentic.