By Bill Brubaker
Washington Post Staff Writer
Thursday, July 14, 2005
This is the face of online banking in the age of cyber-theft: A welcome screen with a crisp photo of a ladybug or a butterfly or -- what's this? Well, it sure looks like a King penguin.
Since July 2, Bank of America Corp. has been inviting its online customers in the District, Maryland and Virginia to choose a personal digital image -- from a library of thousands of photos -- to appear whenever they log on to the bank's Web site.
If the secret image doesn't appear -- teapots, giraffes, hairbrushes, ice skates and cowboy hats also are available -- the customer has logged on to the wrong place.
"This is really to give our customers greater peace of mind so they know that when they come to the Bank of America site that it is indeed the real Bank of America site," said Betty Riess, a company spokeswoman.
The nation's largest online banker is taking the action, it says, to help fight fraud and thwart identify theft -- a huge and growing concern for financial institutions in the United States and beyond. It is part of a security system that will become mandatory this fall when it's rolled out to Bank of America customers across the nation.
The company also is asking online customers to write a secret phrase, between six and 30 characters long, that should appear alongside the secret image. If the phrase isn't there, customers should know the drill: Log off immediately and please don't enter any ID numbers and passwords. (Yes, old-fashioned IDs and passwords are still required under the new system.)
"This is all part of our ongoing focus of security . . . to fight 'phishing,' " Riess said. Phishing is a scheme in which hoax e-mails that appear to be from well-known companies request personal information such as bank account numbers. Some large banking companies, including Citicorp, have been targets of phishing schemes.
Bank of America, which has 31 banking centers in the District, 190 in Maryland and 198 in Virginia, has been a target of two somewhat different security breaches in recent months. In February, the company revealed it had lost tapes containing data on 1.2 million federal employees, including some U.S. senators. And in May it told customers that New Jersey police had uncovered a scheme to steal financial records from thousands of Bank of America and Wachovia Corp. customers.
Bank of America's new authentication system, dubbed SiteKey, has been introduced so far in nine states and the District. It was created by PassMark Security, a California firm co-founded by Bill Harris, former chief executive of PayPal and Intuit.
The system has one more layer of security: In signing up for the program, customers are asked to choose -- and answer -- three challenge questions, such as: "On what street did you grow up?" and "What is your best friend's first name?"
An answer to one of these questions is required whenever the customer logs on from a computer the security system doesn't recognize.
Bank of America isn't claiming that the system is foolproof. "There are always people out there looking to get around fraud measures," Riess said. "So we'll continue to work to stay ahead of the fraudsters."