Confirm that your SiteKey is correct

Bank of America just mandated this new “security feature” called SiteKey. Apparently, it is to help reduce phishing attacks to the bank of America online banking website. Well, since I just wasted 25 minutes of my time setting this thing up, I’m going to waste your time forcing you to read about it rather pointless “feature”.

Essentially, the theory behind SiteKey is that you enter your “Online ID” on the bofa.com front page and hit the submit button. If the server detects your browser, it will present you with a customizable picture and text that only Bank of America would know … that way you can quickly ensure you’re on a legitimate BofA website. If your browser doesn’t have the SiteKey cookie, it will first ask you a personal question (like what is your mothers maiden name) before showing your SiteKey. At this point you can enter your password and proceed as usual.

A few things:

• How is this ANY different then me looking at my “Location” bar directly above the active webpage to make sure it says “bankofamerica.com”? I suppose if I’m using a flawed browser that allows pages to manipulate that, I might be at risk.
• When I first signed up for Online Banking 6 years ago, the customer service rep made me use my Social Security Number as my “Online Id”. I can only imagine how many other customers also use their SSN for their online id. Knowing this information, a phishing website that creates a mock page that asks for *ONLY* an Onilne Id (making the user think they will see their SiteKey later, as usual) would already have enough information to begin further research for stealing someones identity.
• Why can’t I just upload my own picture? They tout this as a “personal” thing… yet I have to browse from their collection of images? When I was wasting my time selecting a SiteKey, I was determined to find a Red Stapler. They let you choose images from a matrix, 6 per page. The first page had a Pink stapler. After several more pages I came across a Blue stapler, then Purple, then Green. Finally, on page 240 after looking at over 1,440 images, I found an old-style Red Stapler to use as my SiteKey… not a swingline, but close enough. … Oops … I shouldn’t have told anyone. Dang.
• We already know people are idiots… I suspect that most people who will fall for a phishing attack will enter their userid and passcode on a phony website without even thinking about the SiteKey thing… i.e. they won’t remember about the importance of the SiteKey feature unless the website mentions it!

That last note is especially important when you consider this rather serious design flaw in Bank of America’s SiteKey as it is implemented at the time of this writing: If you visit bankofamerica.com on a browser without the SiteKey cookies (or cookies are disabled), you are asked for both your userid and passcode regardless! See screenshot:

The funny thing is, even after I submit my Online ID and Passcode, it still asks for my SiteKey information, then my passcode again. What a waste of my time.

Here is how it looks when you are using a browser the server recognizes with the proper cookies:

Oh, one more thing: SiteKey isn’t even implemented for WA or ID accounts, which are really old SeaFirst banks…. Whats worse? The login page for those accounts ask for your checking account number, social security number in its entirety, and a password. Every time. You’d think that this many years later, this bank of “Higher Standards” would be able to integrate and upgrade their website for a consistant interface across the whole country.

Wow, I sure feel secure now. Thank you BofA for this enhanced (false) sense of security.