After Theft, Bank of America Tightens Security Info World - May 26, 2005
Just days after confirming that information on about 60,000 of its customers had been stolen by an identity-theft ring, Bank of America on Thursday announced plans to tighten security for its online banking customers. Beginning next month, the Charlotte, North Carolina, bank will begin offering a new service called SiteKey that will make it harder for thieves to access Bank of America accounts. SiteKey will recognize when a Bank of America account is being accessed via an unknown computer and will generate a predetermined "challenge" question, adding another level of security to the process of logging in. The software also lets users choose a specific image -- a photograph of a dog, for example -- that can then be re-shown to users in order to reassure them that they are actually visiting the Bank of America Web site, and not some other site masquerading as www.bofa.com.
The Chapell View
I like the SiteKey program - a lot! To date, Citicorp is one of the few banks to actively use privacy and security as differentiators. I hope that Bank of America will use this program as a way to set their company apart from the competition.
I do see one problem with SiteKey, however. And this is a similar problem faced by almost all security and authentication programs. Users tend to have trouble remembering their passwords. This is the inherent difficulty when setting up a password or challenge response answer. You want to make it complex enough so that the bad guys don't get a hold of it, but not so complex that you can't remember it. And it would be bad enough if you only had to remember one or two passwords, but many of us have dozens of different passwords to remember. I, for example, have a separate password for:
- My Computer
- My Hotmail Account
- My Yahoo Account
- My Gmail Account
- The Chapellassociates.com Server
- My Business Online Banking Account
- My Personal Online Banking Account
- My ATM Pin
- The UID and Password to access my Blackberry
- Half the Web sites I visit regularly...
My point being, that in order for me to be smart about my security, I would need to remember a dozen different passwords. Given that I can just about remember my own bank account number, that's a difficult task.
Someone in the technology world needs to come up with a better method of authentication.