Bank of America to Launch ID Theft Protection

The free authentication service, called "SiteKey," will use a combination of factors to verify the customer's identity and the authenticity of the company's Web site.

Bank of America will protect 13.2 million online banking customers with a new authentication service it calls "SiteKey," the company said in a statement.

The free service will be launched in Tennessee in June and will eventually be rolled out nationwide.

SiteKey uses a combination of an image, user-created phrase and three challenge questions to authenticate both the customers identity and the authenticity of Bank of Americas Web site when customers log on, Bank of America said.

The new service is intended to help protect customers from identity theft, because information that is only known to the account holder must be presented, in addition to a customer ID and password, Bank of America said.

The user-selected image will also prove the authenticity of the bank Web page to a customer and deter fraudulent sites used in identity theft attacks called "phishing scams."

Bank of America, like other large, consumer banks, frequently has its customers targeted by phishing scammers, who use massive spam e-mail campaigns to lure recipients to phony Web sites designed to look like Bank of Americas site, often under the auspices of updating account information.

Bank of America partnered with PassMark Security Inc. of Redwood City, Calif., to offer the service. PassMark makes the image-based authentication system used in SiteKey.

Customers sign up for the service online, providing a unique phrase and choosing a special image from hundreds of thousands PassMark offers, said Mark Goines, chief marketing officer at PassMark.

PassMarks product uses information gathered from the customers machine and stored in a small data file, or "cookie," to validate login requests.

Users who attempt to access PassMark-protected sites from their own machine can log in directly.

However, those who attempt to access banking services from a different computer must answer the three challenge questions correctly before they will be allowed to log in, he said.

In recent months, other banks and online brokerages have also announced multifactor authentication services to shore up account security and prevent fraud.

In October, U.S. Bancorp and VeriSign Inc. announced a program to use hardware tokens to secure access to commercial banking services for U.S. Bancorp customers.

E-Trade Financial Corp. also offers customers a free Digital Security ID from RSA to secure access to their online account.

Critics have argued that secure tokens and smartcards wont stop phishing attacks, because scam artists could just change their Web sites to mimic the behavior of the Web sites that accept the extra user credentials, while still harvesting personal information such as bank account numbers, customer IDs and passwords, or credit card numbers from victims.

With the most online banking customers of any U.S. bank, Bank of America is a huge win for PassMark, a 1-year-old startup with 25 full time employees.

The companys largest banking customer to date was Stanford Federal Credit Union, which has around 40,000 users.

PassMark charges customers according to the number of active users per year, he said.

The PassMark system is designed to prevent such scams by requiring the bank to present unique information—the customers PassMark image—to prove its authenticity to the customer, Goines said.

Still, the service is voluntary, and Bank of America will have to encourage the bulk of its customers to sign up for it before it will reap any benefits in preventing account fraud, Goines said.

"Security is only as good as its adoption," he said.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.