Saturday, May 05, 2007

Bank of America. Oh oh oh!

Logging in to their online banking system is a pain. Why? Because I know my SSN (used as the username) and I know my password, but they've decided that's not good enough, no. I enter my SSN and then they ask me 'What's your maternal grandmother's maiden name?' Now, I know the answer to this. You could probably figure it out too. Sadly, Bank of America doesn't have a clue, and I don't recall telling them anything but the truth.

So how do I log in? I try answering a few times, and finally it asks my father's middle name. This one I know. This one I know you can find in a matter of minutes using Google. My father goes by his middle name. And Bank of American knows the correct answer to this one. So finally I manage to get in.

By 'in' I mean I'm to the point where I can enter my password.

By the way, if you ever want to be annoying, all you need to do is get to this point and then enter the wrong password a few times.They'll shut down online access to my account until I dig up some silly information and fill it in. Could be worse. My brother had to call them with his account number and a recent transaction--and he was in Germany at the time, meaning he couldn't unless he wished to spend lots of money.

So long as I'm explaining how Bank of America's security sucks, I should mention SiteKey. SiteKey is an image you choose that they show you after you supply your SSN and the answer to the security question. If you see the SiteKey image that you chose when setting up your account, you know it's really Bank of America and you can safely enter your password.

Either that or it's a phishing site that took your SSN and security question answers soon as you provided them, showed them to the real Bank of America, got your SiteKey image, and then showed it to you, defeating this brillant security measure in a matter of seconds.

Okay, so maybe they'll notice if a single phishing site is sending these requests to BoA for every person they fool, but how many of you think this isn't easy to hide sufficiently well to avoid any automatic detection BoA may have set up? Yet another example of fake security. it makes you feel safe, unless you're competent and actually think it through.

No comments: