Categories

Categories

Archives

Confirm that your SiteKey is correct

Bank of America just mandated this new “security feature” called SiteKey. Apparently, it is to help reduce phishing attacks to the bank of America online banking website. Well, since I just wasted 25 minutes of my time setting this thing up, I’m going to waste your time forcing you to read about it rather pointless “feature”.

Essentially, the theory behind SiteKey is that you enter your “Online ID” on the bofa.com front page and hit the submit button. If the server detects your browser, it will present you with a customizable picture and text that only Bank of America would know … that way you can quickly ensure you’re on a legitimate BofA website. If your browser doesn’t have the SiteKey cookie, it will first ask you a personal question (like what is your mothers maiden name) before showing your SiteKey. At this point you can enter your password and proceed as usual.

A few things:

  • How is this ANY different then me looking at my “Location” bar directly above the active webpage to make sure it says “bankofamerica.com”? I suppose if I’m using a flawed browser that allows pages to manipulate that, I might be at risk.
  • When I first signed up for Online Banking 6 years ago, the customer service rep made me use my Social Security Number as my “Online Id”. I can only imagine how many other customers also use their SSN for their online id. Knowing this information, a phishing website that creates a mock page that asks for *ONLY* an Onilne Id (making the user think they will see their SiteKey later, as usual) would already have enough information to begin further research for stealing someones identity.
  • Why can’t I just upload my own picture? They tout this as a “personal” thing… yet I have to browse from their collection of images? When I was wasting my time selecting a SiteKey, I was determined to find a Red Stapler. They let you choose images from a matrix, 6 per page. The first page had a Pink stapler. After several more pages I came across a Blue stapler, then Purple, then Green. Finally, on page 240 after looking at over 1,440 images, I found an old-style Red Stapler to use as my SiteKey… not a swingline, but close enough. … Oops … I shouldn’t have told anyone. Dang.
  • We already know people are idiots… I suspect that most people who will fall for a phishing attack will enter their userid and passcode on a phony website without even thinking about the SiteKey thing… i.e. they won’t remember about the importance of the SiteKey feature unless the website mentions it!

That last note is especially important when you consider this rather serious design flaw in Bank of America’s SiteKey as it is implemented at the time of this writing: If you visit bankofamerica.com on a browser without the SiteKey cookies (or cookies are disabled), you are asked for both your userid and passcode regardless! See screenshot:
SiteKey with no cookie

The funny thing is, even after I submit my Online ID and Passcode, it still asks for my SiteKey information, then my passcode again. What a waste of my time.

Here is how it looks when you are using a browser the server recognizes with the proper cookies:

SiteKey as it should be

Oh, one more thing: SiteKey isn’t even implemented for WA or ID accounts, which are really old SeaFirst banks…. Whats worse? The login page for those accounts ask for your checking account number, social security number in its entirety, and a password. Every time. You’d think that this many years later, this bank of “Higher Standards” would be able to integrate and upgrade their website for a consistant interface across the whole country.

Wow, I sure feel secure now. Thank you BofA for this enhanced (false) sense of security.

3 comments to Confirm that your SiteKey is correct

  • laura

    I think that is a diatribe worth giving to BofA.
    =)

  • I couldn’t find the red stapler so I settled for the black bunny..I thought it was a rabbit that had the life sucked out of it (very appropriate for my bank account)A lot of people I know bank with BECU so everytime I complained about the STUPID Bank of America STUPID SITE STUPID STUPID KEY..no one knew. I’m relieved to finally hear someone else speak up about this nonsense. Stupid BOFA makes your enter your social, acct. #, and pw……..HUGE WASTE HUGE HUGE WASTE…I was somewhat drunk/tipsy when I setup my sitekey and I got so angry when I realized it was a fatty waste of time that I just dismissed it all. Then when I went to check my acct (sober), I totally forgot the whole sitekey thing existed. BofA made it SOOO DIFFICULT for me to finally reset the silly silly site key.

  • erich

    Whoa! Two women made posts on 11h! And one might have been drunk! Sweet!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.