OT Bank relaxes security. Acceptable?

Page 1 of 4  
OT Bank relaxes security. Acceptable?
Is there a good newsgroup for internet security (not involving viruses or malware)?
Until then, this is what I got when I logged into my bank account just now to check my balance:
"We're simplifying the way you sign in
You'll soon be able to sign in with one step by entering your Online ID and Passcode on the same page. SiteKey® — the image you used to see before entering your Passcode — is no longer part of the way you sign in to Online Banking.
This simpler sign-in will be introduced on our different sites before the end of the year.
To help ensure you're on the real Bank of America website before you sign in, check your browser address bar for:
www.bankofamerica.com Green text/shading Lock icon "
Of course that is the way it was originally, putting in the ID and password on the first page. That was it for the first few years.
It was their idea to have a SiteKey in the first place, an image that they chose that I would see on the screen that showed me I was actually communicating with whom I thought I was, the bank**. Now they have 3 things, the list at the end above, but none of them are personalized for me. Anyone with an account would get these same three things and could duplicate them in a phony site (the existance of which, one which would intercept my attempt to get to them, was a concern when they came up with the SiteKey".
**Because no one else would know what they showed on my screen. Even if there were a key-logger on my computer, it wouldn't read what came in, iiuc, that is, the sitekey, the little sketch they showed me and maybe 1000th of their online customers. (That is, they had 1000 sketches, and if I didn't get the one I expected, I should stop what I was doing and not put in my password.)
Do you do online banking with other banks? Do they have something like the SiteKey, a password or picture they send to you, instead of the other way around, so that you know you're talking to them, in the same way they want a password from you so they know they're talking to you?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

I use a bank and three CC accounts and only my wife's BofA has the site key. Never had a problem with any of them.
Whatever changes are being made, I'm sure any bank is going to be as secure as they can be and the new system is meant to be more, not less, secure.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
In alt.home.repair, on Mon, 27 Jul 2015 05:48:44 -0400, Ed Pawlowski

Yes, that idea occurred to me. It makes sense. Especially when they've thought of something, to abandon it would leave them open to lawsuits if they hadn't somehow improved things. But stilll......
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

My Bank of America sign-in still uses dual sign-in with the picture. Are you sure the above message came from the real bank?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 07/27/2015 07:27 AM, Pat wrote:

When I signed in to my BofA account this morning, I had to answer one of my "challenge questions" before I got to the SiteKey picture, but then I too saw the notice that SiteKey was to be discontinued before the end of the year.
Perce
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
In alt.home.repair, on Mon, 27 Jul 2015 07:55:19 -0400, "Percival P.

I didn't see the SiteKey, so I must be in an early batch of those who lose it. OTOH, I havent' logged in for weeks, so it might not be so early.
As to IP addresses, I understand that even if one has a fixed one, as with a high speed connection, they still get reset every few weeks or months. I forget why and I forget the exact words the tech I talked to used. .

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
In alt.home.repair, on Mon, 27 Jul 2015 07:27:38 -0400, Pat

Well, no. That's exactly what concerns me.
Though if you read the OP, the message also said "This simpler sign-in will be introduced on our different sites before the end of the year."
I guess I have to call them. Maybe I shoudl have changed my password last night, or at least now. Okay. I just called them (and I didn't have to wait on hold more than 5 seconds, though I did have to go through their menu a little bit, and it asked the 3 digit code on the back 3 times before I could find my code) and, assuming they didn't intercept my phone call too, she said that Yes, they have gotten rid of the siteey. She said, in different words, that it matters that the url is at the root level, with no slash or anything "behind it" as if that makes it harder to foist a phoney site on someone. Sometimes I think the customer service people are taught to bluff, that is agree that there is a problem even if they have no idea what I'm talking about. OTOH she said that she herself had gotten other calls about this very thing. No accent btw. Standard American English.
There was a short recording before she answered that said I had to let them know if I went out of town. I told her my father told me to tell anyone but friends that I was going out of town. She acknowledged the problem! She said if I left the state, they might put my card on hold. Or if I spent more money than usual, even if I stayed here.
Maybe I have heard something like that before. Anyone know?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Tuesday, July 28, 2015 at 3:33:05 AM UTC-4, micky wrote:

It depends on the CC issuer, their policies, algorithms, and you. I've had a CC shut down only once in many years. I have had them call me to alert me to what they thought was unusual activity because I was using the card somewhere unusual. If you rarely travel and suddenly go to Sudan, you're more likely to have that occur than if you travel frequently on business, go to a lot of the same or similar cities, etc.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/28/2015 7:34 AM, trader_4 wrote:

If you tell them you are going to Nigeria they will double your credit limit and will even set up a meeting with local bankers and members of royalty.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/28/2015 3:33 AM, micky wrote:

My credit card has a form on line where you can tell them where and when you will be traveling. It really does help. I also tell them when I will be out of the country.
I have a CC that I rarely use, but I often use it on vacation. One day one first day of vacation we had breakfast, bought gas, went to a retail store, three charges in about an hour. At the store, the clerk had to call and they asked me a security question. No problem the rest of the trip.
Another time I was on my way home from work and got a text from the CC card company. They asked if I was buying something in France. Texted back "no" and they stopped payment and sent me a new card.
In any case, you can be sure security is being increased, not decreased when you sign in on line.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Tuesday, July 28, 2015 at 11:20:10 AM UTC-4, Ed Pawlowski wrote:

Except in the case of what BA is doing, it clearly decreases security. By presenting you with an image that you select and know *before* you give them your password, you know that you're actually engaging with the real BA website, not some hackers that have duplicated BA to steal your logon credentials. If you don't see the image, you know something is wrong. Without it, hackers could and do present what looks like a real logon page. So, you try to log on and now the hackers have your user name and pwd.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/29/2015 4:12 AM, trader_4 wrote:

Considering the recent data breaches all over, do you really think BA decided to shortcut and lessen security?
Perhaps they don't want to publicly give details,but I think they are just doing new security in a different manner. There are probably stronger methods employed that obsolete the site key. If the site key was a great enhancement, they would all be doing it by now.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, July 29, 2015 at 11:10:25 AM UTC-4, Ed Pawlowski wrote:

I don't doubt that they have other techniques. But it's clear to me that presenting you with an image that only you and BA know before you enter your PWD would prevent hackers from creating a phony logon page. It workded with Micky. He noticed that he wasn't getting the image and wondered if it was really the bank. You can have X, Y, and Z that all provide some added level of security. All I'm saying is that if you still had Z, the image challenge, then security would be better even if you have X, and Y and think they are very effective. It only adds, it doesn't subtract.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/29/2015 12:01 PM, trader_4 wrote:

What is to stop a hacker from presenting the site key? I always thought it would be the perfect method of stealing your info. There are shady people out there with all sorts of tricks and one photo is not going to keep them from taking your fortune.
I really don't think they would lessen security one tiny bit. Just look at the Caller ID scams where your own number shows up.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, July 29, 2015 at 2:34:30 PM UTC-4, Ed Pawlowski wrote:

That they don't know what the site key pic is that you have personally chosen from a long list of available ones and that they don't know the tag line you've personally added to the pic. They aren't going to get that easily. They can get your user name and pwd by creating a fake logon page that looks like BA.

I don't see how it's the perfect method, when the hacker doesn't know the image or tag line for the image that you created.
There are shady

That added step alone isn't going to prevent all the possible ways, no. But without it, I could create a hack webpage that looks like the BA sign on page. So, without it, you put in your logon name and pwd. Now the hack site has both. With the image challenge, you put in your name and if you don't see the correct image and tag line, you know something is up. That's what caused Micky to become concerned, he didn't see the challenge image and his tag line. I think it's a good idea, because with other sites, many times the webpage has changed or the web address that shows up in the address bar seems different, leading me to wonder, is this really Amex, etc? or a hack attempt. With BA, once I see my image, I'm confident it's really BA.

The analogy here would be you call someone and before starting your private conversation, the person you called has to tell you the pass phrase that only you and they know to prove that you've really called them and not someone else.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/29/2015 2:51 PM, trader_4 wrote:

What is preventing a hacker from getting it? Hackers have been in the Pentagon computers, many stores, banks, insurance companies and on and on. Nothing is truly bullet proof.

If it was that secure, every website would be doing it. Every financial institution would have it. If it makes you feel good, fine, but like every man made puzzle, another man has the solution.
That's what caused Micky to become concerned,

Good for you, it never made me feel any better.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, July 29, 2015 at 3:01:02 PM UTC-4, Ed Pawlowski wrote:

What's preventing the hacker from getting it is all the security firewalls and procedures at BA. And if they get inside that, then essentially all the security goes out the window, they have all the user names and pwds. Which do you think is harder? Creating a webpage and webpage address that looks like the BA one, to get you to enter your credentials or getting inside BA itself and getting all the user names, pwds, images, etc. It's a well known method that works. Send someone a fake message, claiming to be the bank, taking them to a website that looks like it's the real bank, etc.

I didn't say it was "that" secure. I just said it's a good step so that you know when you see a webpage that it's really your bank and not a hacker making a website that looks like the bank. As I said, I've had many times where the webpage at some financial institution looked different, or the web address looked slightly different. With no challenge image, you don't know. With the addition of that simple image, then you know it's the real bank.

I don't know why that would be. How likely do you think it would be that a hacker would know the image and tag line that only BA has? And if they do, then they surely don't need to be phishing via fake websites, which is what the image challenge prevents.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/29/2015 3:22 PM, trader_4 wrote:

How hard is it for a hacker to get a screen shot off of your machine?
I'm sure BA is paying big bucks for a security system and if a picture made it secure, it would be there.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, July 29, 2015 at 5:26:43 PM UTC-4, Ed Pawlowski wrote:

IDK, but I do know that hackers go phishing by creating phony websites and it's one of the ways they can easily get your credentials. The pic you know step can eliminate that. Not every security measure will be effective against everything.

Aren't you the guy that just said in a post that nothing is secure, that the hackers could hack BA itself, etc? And again, I'm not saying that the pic makes it secure, only that from everything I see, it certainly adds to security. Clearly BA thought it was worthwhile at one point. Why they changed, we don't know. And already it's upset some of their customers, eg Micky.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 7/29/2015 7:20 PM, trader_4 wrote:

Yes, I said that. I still stand behind it, if the site key made it more secure I'm sure it would be there. I think it is of minimal value for protection. Makes you feel good though.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.