According to a demonstration by Chris Soghoian over at CNet, Bank of America’s “SiteKey” picture authentication feature can be spoofed by phishers and is, basically, worthless.
We know worthless is a strong word, but when paired with statistics that show most customers don’t even pay attention to the feature—thinks are looking pretty bleak for B of A. (A study found that 58 of 60 consumers fell for an obviously fake B of A website.)
Chris explains that SiteKey is vulnerable to “man-in-the-middle” attacks in which the phisher contacts Bank of America’s site and feeds the info to the target.
This news came to our attention back in April but now Chris is wondering (as we did) why Bank of America is (still) telling its customers that SiteKey is “certain” to work. Bank of America’s website says that “you can be certain you’re at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site.” Are they simply lying to their customers?
Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be “certain (they’re) at the valid Online Banking Web site” when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?