David describes the customer experience, as Bank of America implements PassMark Security anti-phishing solution. Seems it went smoothly except it wasn't clear to him why he was going through it.
Relevance to Bankwatch:
The devil is in the details with online banking implementations, and its all about considering the experience at time of click.
» Will BofA's SiteKey thwart phishing attempts? | Between the Lines | ZDNet.com
The last time I logged into my BoA account, it forced me to do two things.First, I had to pick an image from a large library of images. For example, you can pick the image of a dog or the image of a can of pure maple syrup (see example, above left).
Second, I had to name the image.
Even though it wasn't clear to me why I was going through this, I went along with the Web site's insistance that I do it anyway (after ignoring the request a couple of times, BofA's site forces you to go through the process). Then, the next time I logged in, not only did my login page have a copy of the image I selected, but the name I assigned to it as well.
Generally, David believes it will reduce phishing, but makes the point, that unsophisticated customers will still fall prey to social engineering.
But now comes the big question: could solutions like these put an end to phishing and restore trust in the email system as a way for financial institutions to stay in touch with their customers. Personally, I like the idea. It appeals to me as a power user and it's sure to foil some phishing attempts which is ultimately in everybody's best interest (OK, not the phishers'). But I also think it's very hi-tech. Perhaps so much so to the point that it won't be effective with the same people — the not-so-tech-saavy — that are such easy prey for social engineers. That's because social engineering works independently of technology. No matter how good a security technology is, most technological countermeausures are no match for a decent social engineer.
Technorati Tags: online_banking, Passmark, sitekey, customer_communication, social_engineering
Bankwatch 
Instead of showing a user random pictures with a word associated with that image, why doesn’t the platform let you upload a photo of your choosing (family member, pet, favourite place) and let you name it yourself? Therefore, rather then showing a user a random picture, its a picture they have a connection to
@Anthony … Sitekey, which is actually the Passmark product now owned by RSA, provides for users to upload their own picture. Despite the above quotes, I would be surprised if BofA have not implemented that feature – anyone know?
It wasn’t the case 2 months ago. There was a series of 9 images to choose from. It would seem that the personification of sitekey (passmark) would make it more relevant.
On another note, one of the simplest methods I have seen was a credit union here in Australia. You would enter your username and then your password was based on your P.I.N.; however every time the page reloaded, there was a table with numbers from 0 to 9 with a random letter shown beneath. It was this letter that was typed into the password field to login. Simple, yet secure.