Bank of America announces anti-phishing strategy

CNet is reporting that Bank of America has announced plans to roll out two technologies to help the firm (and customers) fight against phishing (the use of email and web sites to gain personal information from users). The strategy includes adding features to their web site and leaving a trail on the users PC that helps to protect against stolen account access information.

The strategy uses a technology called SiteKey that will authenticate the bank to the user as well as vice-versa. From the information in the article, and from BofA's web site, the sequence will be something like this:

  • Go to BofA site
  • Enter your user ID
  • Site responds with a phrase and picture you have chosen to prove it is really BofA
  • Enter your password
  • You're logged in

If you've not accessed the site from that computer before, it adds an additional step before displaying the phrase and picture that requires answering a security question.

This is actually a pretty cute scheme. Since each user's picture and phrase choice will be somewhat different, each user is quite certain they're talking to Bank of America. On the flip-side, if somebody steals your ID and PIN and attempts to access the bank's site from a computer other than yours, it will ask this additional security question, which is only asked very infrequently and is likely to not have been phished.

Nice to see somebody trying to solve this problem.