58 Out Of 60 Consumers Fell For Obviously Fake Bank of America Website

We were reading an interesting article in Kiplinger’s about various strategies that major banks are using to improve security when we were startled by this snippet about the effectiveness of Bank of America’s security system. (Bank of America asks users to choose and then verify an identifying image and phrase before logging in):

When researchers at Harvard University and the Massachusetts Institute of Technology studied the anti-fraud image system used by Bank of America, they found that 58 out of 60 users still logged on to a phony Web site that did not display the images that the users had selected. The system raises the bar for criminals, says Rachna Dhamija, one of the researchers who conducted the study, but “if users don’t comply, it’s entirely ineffective. They are going to be giving out their credentials to the wrong Web sites.”

58 out of 60!? We knew people were vulnerable to phishing operations, but that number is just sad. Get to know your bank’s security features and, for heaven’s sake, look for them when you log in. There’s no reason 58 out of 60 people should be falling for an obviously fake site with incorrect security features. Looks like it might be back to the drawing board for Bank of America.—MEGHANN MARCO

Passwords + Pictures = Security? [Kiplinger’s]
(Photo: Meghann Marco)


Edit Your Comment

  1. dbeahn says:

    My bank uses the pictures + password method. It’s annoying as hell, and I’m sure it’s ignored by most people.

  2. hypnotik_jello says:

    Too bad that sitekey implementation is still susceptible to the man-in-the-middle attack.

    There is an extensive white paper on how it is defeated.

    Basically all you have to do to keep yourself safe is always check the website address, and never click to your bank’s online banking site through any link you receive in an email.

    Seriously, how hard is it to type http://www.bankofamerica.com ?

    The site key stuff is only worth some protection if you are actually on bankofamerica.com

  3. saram says:

    Those 58 out of 60 customers – those are the customers that scream at CSRs when someone in Fiji is using their debit card. The number doesn’t surprise me at all.

    I’ve been that CSR.

  4. shaej says:

    I just went through this gaunlet yesterday to check on an inaccurate charge online. The complexity of their authentication system guarantees that most people will ignore it. They have a picture identifier, and also 3 (maybe 4?) other authentication questions, I had to enter the state I applied for the card in as well as the current state I reside in.

    It was designed from a security perspective without taking into account usability.

  5. battlerobo says:

    Using pictures or “Secret Questions” in conjunction with passwords are just repetitive and useless. They are all the same method of authentication, something the user ‘knows.’ I did a report for a systems security class and centered mine around online banking security. The Federal Financial Institutions Examination Council (FFIEC) issued a guidance called “Authentication in an Internet Banking Environment” which banks were required to adhere to by the beginning this year. It had mentioned multi-level authentication. Basically, there are three factors: 1. Something the user knows (e.g. password, PIN), 2. Something the user has (e.g. ATM card, smart card), and 3. Something the user is (e.g. biometric characteristic like a fingerprint).

    I came to the conclusion that online banking security measures are really weak at best. Banks sacrifice security for easier user interfaces. I would also think that it’s more expensive to implement card swipers, fingerprint identifiers. Personally, I’m fine with single factor authentication (having just my username and password), since I’m more tech savvy and am more aware of phishing and fake websites. It’s those unfortunate 58 out of the 60 that don’t know the difference and probably would most definitely benifit not from multi-factor authentication to prove their identity, but from the bank somehow proving their website’s authenticity to them.

  6. winnabago says:

    So they invited people in to their center, asked them to log in to some dummy BOA account, and then reported that, oh gosh, almost all of them did! Wow. That is guaranteeing results for ya. Someone should tell these researchers about the concept of ‘context’.

    Images and more questions are a stupid security system anyway. If you can get someone to remember to look for an image, then you can easily get them to spot a fake site. The problem is the 9/10 users that just don’t get it. How am I supposed to remember that some of my bank sites show a picture of a bridge, the moon, and a pet lizard, while others don’t show any yet? I’m sick and tired of banks going the cheap route because they think that real security is too expensive, or that it will be inconvenient for the users.

    A scratch off pad, a real time cypher or something like that is the only way to really approach ‘safe’, but no large bank wants to be the first one to implement it. Inconvenient is when I get my account drained because of cookie tracking or something similar, not an extra second to find my keychain device.

    When will they learn?

  7. When will they learn?

    @winnabago: When the scammers start draining the accounts of many people at the same time instead of one by one.

  8. mantari says:

    Phishing is a good sport these days. So much so, that I would encourage my friends and family NOT to get on the Internet if they haven’t already. And if they do, NOT to do any kind of business or financial stuff on it. Especially banking/auctions/etc.

  9. Coder4Life says:

    Maybe they should allwo customers to upload their face picture so they know its a fake site when they try to logon.

  10. Snakeophelia says:

    Well, this explains the phishing email I received where I was warned that my Bank of America “banmking” account was being suspended and that I must log in immediately! Via a link in the email, of course. If the spammers can get victims without even having to spell-check the subject lines of the emails…sheesh.

  11. exkon says:

    The 58 out 60 are people who KNOW they don’t have money in their account, overdraft anyways. THEN go into the bank DEMANDING/THREATING to get their overdraft fee reversed.

  12. Landru says:

    I have that identifying image and phrase thing at my bank’s website.

    I’m pretty savvy, I think, when it comes to security, but I think while I sometimes notice the image and phrase when I log in, I also think that I wouldn’t notice if it were gone.

  13. leejames says:

    I have a BOA credit card and I use their online system. Since I only check it once a month, I had honestly forgotten about their ridiculous picture/passkey system until I read this. And, honestly, if the sitekey didn’t pop up, I would only assume that it was because people complained and BOA took it down.

    It seems that every time I go to BOA’s site it’s different. I had an MBNA card, which became a BOA card, and they’ve changed their security structure two or three times, all of that within a span of less than a year. I’m not surprised people are getting confused.

  14. asherchang says:

    “David Cowan, co-founder of VeriSign, an Internet-security firm, says that many crimes could be prevented if banks simply made phone calls to account holders to confirm unusual or suspicious online activity”

    with this, does can we really blame the stupid 58?

  15. Dan25 says:

    Bank websites are secure. You can’t hold the business accountable for their customers falling for scams. Whats next? Are you going to say banks should pay when their customers get conned by some advance fee scam in Neigeria? Theres only so much a business can do to protect its customers, at a certain point the customer needs to take some personal resposibility. Its not like BofA was handing out their usernames and passwords. These people couldn’t even check to make sur ethe URL said “www.bankofamerica.com”!

  16. tylerkaraszewski says:

    I totally agree with this. This is a stupid method of trying to protect users, simply because it doesn’t require them to do or remember anything. I don’t use BofA, but ing direct does the same thing. I haven’t had to memorize my “security picture” or whatever they call it, because I can access my account regardless of whether or not I can see the picture. If they simply removed that feature tomorrow, I’d just forget that it ever existed, because I have a lot more important things to think about than stupid security features of websites that I don’t believe make my account information any more secure.

    If they forced me to pick out the proper picture from a list of choices, then at least I’d have to remember what picture it was.

  17. synergy says:

    @Dan25: ftw

  18. erica.blog says:

    Checking the URL isn’t foolproof, if your computer is infected with certain types of malware which mucks with the host file (in other words, instead of “bankofamerica.com” going to their real server, it gets redirected to a phisher’s server and site). Luckily, that’s pretty rare, and a decent anti-virus anti-malware package helps.

    I also think that the 58/60 statistic is way too high, although it’s difficult to say why without knowing more about the methodology of the study (and I don’t feel like reading it). Most other phishing studies I’ve seen get a level of response more on the order of 10% to 20%.

  19. skrom says:

    If people are stupid enough to fall for this crap they deserve to get taken to the cleaners. At least 5 times a week you hear that legitimate companies will never ask you for your password in an email, and yet people do it all the time.

  20. jeffj-nj says:

    Yeah, I’m with Dan25 on this one.

  21. speedwell (propagandist and secular snarkist) says:

    On sites that I think are vulnerable, or where phishing could hurt me, I have a habit of entering an incorrect password on purpose the first time, on the assumption that a hacked site won’t reject it. It probably worked years ago, but it’s probably just superstition by now.

  22. palaste says:

    @speedwell: I’ve sometimes entered obviously fake login information on sites I’ve known to be phishing sites, sometimes logging in as George W. Bush or Bill Gates, sometimes simply typing “f*ck you phisher” as my username and password. Very few, if any, phishing sites display an error message after getting a nonexistent login name. Instead, most of them redirect me to the real site, while some display a thank-you message.

  23. jitrobug says:

    I think these comments illustrate the problem.

    Until this very moment, it never occurred to me that the goofy security picture and phrase were so that *I* could verify *them*

    Of course 58 of 60 people would miss the images and phrases being missing, nobody, (not even security savvy computer consumerist readers) understands what the bank is trying to accomplish with them.