Is Bank of America Lying About Website Security?

According to a demonstration by Chris Soghoian over at CNet, Bank of America’s “SiteKey” picture authentication feature can be spoofed by phishers and is, basically, worthless.

We know worthless is a strong word, but when paired with statistics that show most customers don’t even pay attention to the feature—thinks are looking pretty bleak for B of A. (A study found that 58 of 60 consumers fell for an obviously fake B of A website.)

Chris explains that SiteKey is vulnerable to “man-in-the-middle” attacks in which the phisher contacts Bank of America’s site and feeds the info to the target.

This news came to our attention back in April but now Chris is wondering (as we did) why Bank of America is (still) telling its customers that SiteKey is “certain” to work. Bank of America’s website says that “you can be certain you’re at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site.” Are they simply lying to their customers?

From CNet:

Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be “certain (they’re) at the valid Online Banking Web site” when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?

False security: Is Bank of America lying to its customers? [CNet]


Edit Your Comment

  1. Uriel says:

    Most likely.

  2. Buran says:

    Yeah, and I actually check it, so way to go with the assumptions…

  3. nweaver says:

    Sitekey is “pseudo-two-factor” snake oil. There is a mandate that all financial institutions switch to “two factor” authentication (something you have + something you know). But what has happened is thats expensive, it requires RSA SecurIDs or similar.

    So there are a raft of bogus security measures (SiteKey is just one of them) that they CALL two-factor for the purposes of placating regulators.

  4. SOhp101 says:

    I was wondering when this would be caught as a silly way of ‘securing’ your connection. When will people realize that these companies aren’t trying to protect your rights and property but only their own?

  5. doormat says:

    My local bank uses the same technology (Nevada State Bank) and I thought it was pretty useless when they first started it.

    The only answer to real security is the RSA SecurID style token. I have one to remote into my work computer from home and I’m very comfortable with it.

  6. juniper says:

    National City uses these pretty pictures, too, to sign onto their website. I couldn’t figure out how it added to my security.

  7. Anonymous says:

    did any one notice that , you need not type the correct Answer for the Question it asks before it display this picture ?

    For example If the answer to the Question is “ABCDEFG” , it accepts ABCEDEFX’ also as the correct answer. I noticed that it accepts wrong answer but did not spend much time on based on what criteria it accepts the wrong answer.

    The starting few letters of the answer should be correct though

  8. ianmac47 says:

    How are these pictures supposed to protect me anyway? “Sitekey” has been a pain in my online banking experience since they created the whole thing, and I still haven’t a clue what that cute little teddy bear is supposed to do to prevent unauthorized access to my account.

  9. hi says:

    If you change your passwords and site keys it is safe. The chance someone can get both your image and your password is very small as long as your password is good, and you change it every month, or so..

  10. JKinNYC says:

    ING uses these. Worthless.

  11. Charles Duffy says:

    @ianmac47: The theory is that a fake lookalike BofA website won’t know what your SiteKey is and can’t display it to you. The practice is described in the article above.

  12. Charles Duffy says:

    @mbills2: The practice of rotating passwords is a holdout from back when UNIX password databases were easily stolen but took months to crack. Password databases are no longer trivially stolen — shadow passwords put an end to that an multiuser UNIX systems — and password rotation, by making people choose easy-to-remember passwords (or writing them down) as opposed to memorizing something difficult once, arguably makes security worse.

    In this case, an informed man-in-the-middle attack where the user’s cookie (identifying them as using a machine from which they’ve previously logged into BofA’s system) is stolen and either passed on to the attacker’s site or used by scripts running on the attackee’s client to grab your current SiteKey off the legitimate BofA website and display it on the attacker’s site, password and SiteKey rotation is useless.

  13. aparsons says:

    I don’t understand the site key. I imagine I can grab a user’s social security number and “Account Opened In” along with their session ID and post it to the next page. Fake some http headers, screenscrape the content and ask for a users password. Seriously, I bet it would take me 20 minutes to code a fake bank of america site.

  14. mrmaxmouse says:

    BoA also has another system they just started…Basically, when you attempt to sign on, they send a text message to your cell phone with a 6 digit one-time use number that you have to type in to the box on the site to login.

    You can require the 6 digit code for ALL sign-ins or just for the 1st sign in on each computer you use.

    Seems pretty solid to me. Takes about 1/2 a minute to get the code, but worth it…and since you only have to do it once or twice on each computer you use to bank on, not a terribly big issue.

  15. xamarshahx says:

    sitekey is retarded, it would be even a little more secure if they at least changed the picture and sued categories like Vidoop.

  16. manevitch says:

    I’m a BoA customer, and just recently was notified of an additional layer of security that could actually be secure – a one-time 6-digit passcode sent via SMS to your mobile device. Okay, it’s not as secure as a 16-alphnumeric code on a security key, but it’s fine. Much better than the SiteKey, as long as you have your cellphone with you and you have good signal.

    Optional, of course, but highly recommended.

  17. fredmertz says:

    Why don’t people just not enter information into a site unless they typed the address or used their own bookmark?

  18. synergy says:

    @fredmertz: Because… that would take too much intelligence?

    Seriously, it must be the bank’s fault that you didn’t pay attention to the fake URL. *rme*

  19. hi says:


    I never said make it an easy password. Make it a strong password. And you should still change them as someone might have yours. If you keep it the same then they still have it. If you change it then they no longer have it.

    As for cookies, etc; don’t save the passwords on your computer and delete the cookies. Not mention stay away from email links and fake sites, etc… this really gets away from the website’s security and the individuals personal computer security and how well informed they are.

  20. Alan Thomas says:

    Sitekey isn’t the two-factor authentication–it’s the PC-recognition stuff behind the system that provides (or simulates) the two factors. It’s an RSA system called Passmark, and it’s also what does the phone authentication.

  21. TSS says:

    I always thought that you’re not supposed to just look at the picture. You’re supposed to re-title it as something only you would know. In the picture shown, if you had a teddy bear named Binky, you would caption the picture as Binky or Binky Lives or something else stupid that only you would know. Or am I high and BofA is laughing at me behind my back?

  22. Syrenia says:

    I just encountered an ancient (well, 1997) technology which is sort of like a poor man’s hardware verification. A friend has an account with a bank in Austria. They issued him a printed sheet of single-use codes. To transfer money by phone or Web, he has to enter one of the codes.

    To make it more interesting, it’s not just any random one, or the next one in the list. After he logs in (typical user ID + password situation), the system asks him something like “what is the next unused code that ends in 4?”

    Without that sheet, you aren’t getting anywhere. And there’s no identifying information printed on the sheet. So unless you know the account information, the sheet is useless.

    Of course, when you are nowhere near the codes — like when you are in Asia for three months on business — it can get kind of tricky.

  23. Charles Duffy says:

    @mbills2: SiteKey requires a cookie to work as designed — if you don’t have a cookie, you go through your verification questions every time, and if you’re going through them every time, you don’t recognize when you’re answering those questions for a spoofed site rather than the real one.

  24. Charles Duffy says:

    @mbills2: You have to use a cookie for SiteKey to work as designed. If it can’t recognize an authenticated system (and only ask you your validation questions on unknown systems), you can just as easily be answering your three security questions for a spoofed version of the BofA site as the legitimate article (which would be showing you your SiteKey rather than asking the questions if you accepted the cookie).