Bank Of America Foolishness (Rant Alert)

[mozchild]

I know this shouldn't affect many people in Canada, but there are apparently some BofA's in Canada...just as there is some form of Toronto Dominion in the US.

Anyway, BofA just implemented this "high-speed", "state of the industry", "solid state" new anti-phishing program called "SiteKey". [URL=http://www.bankofamerica.com/privacy/passmark/#skipnav]Here[/URL] is how it works.

As a test of how secure this system was, I logged into my PC at home while sitting at my work PC and proceeded through the SikeKey registration steps at both PC's. This involved my picking an image, picking an image title, and answering three new security questions.

When I got to the confirmation step (the one that I figured would seal the deal on my choices), I clicked my work computer's Send button. Then I clicked my home computer's Send button. Astoundingly, neither of the registrations was negated by the other. At this point in time, I have no idea which SiteKey settings were accepted; if both were accepted; or if some hybrid of the two were accepted.

Also, it let me answer all three of my questions with the exact same string. It would not let me use curse words for either my image description or question answers, but it [I]would[/I] let me use "Bank of America Sucks D@#k" (special characters substituted) for any of those responses.

[QUOTE]By passing back and forth secret information that only you and Bank of America know, you can feel even more secure with your Online Banking experience. We recognize you and you recognize us.[/QUOTE]

Too bad it didn't recognize two accesses to the same single-person held account at the same time from two distinctly different locations. :(

[charger]

It seems to me like this is a smart move. Of course there are going to be some problems when it first comes out, but this certainly is a step above a password and "mother maiden name"

[mozchild]

[QUOTE=charger]It seems to me like this is a smart move. Of course there are going to be some problems when it first comes out, but this certainly is a step above a password and "mother maiden name"[/QUOTE]

The question I have is...."Is this teensy step above the status quo really worth the extra hassles. From the 15+ minute waits I've experienced sitting in their tech support queues, I'm wondering how BofA would answer that question now.

My main objection to this program is that this wasn't rolled out all at once. It's been phased in over the last several months. Plenty of time for a phisher to design its own Web site mimicking the SiteKey registration pages. Anyone who's not smart enough to determine if they're really on a BofA site isn't going to know the real SiteKey registration pages from a phake SikeKey registration page. And anyone who is smart enough doesn't need the extra protection (or hassle) SiteKey provides.

The fact that the BofA site didn't know I'd already registered (even if the time difference was only seconds) leaves them looking like many unsophisticated phishing sites--ones which frequently accept any information from you without error checking. A phishing SiteKey site wouldn't tell you you'd already registered because they're all about the collection of information.

Even under the best conditions, where does that leave people? With three more pieces of personal information in the hands of their bank. As if the bank doesn't know enough about us already. No more than two weeks after changing some personal information with my bank, I received a solicitation from a 3rd-party "affiliate" company utilizing the new information.