OT Bank relaxes security. Acceptable?

I use a bank and three CC accounts and only my wife's BofA has the site key. Never had a problem with any of them.

Whatever changes are being made, I'm sure any bank is going to be as secure as they can be and the new system is meant to be more, not less, secure.

Yes, that idea occurred to me. It makes sense. Especially when they've thought of something, to abandon it would leave them open to lawsuits if they hadn't somehow improved things. But stilll......

My Bank of America sign-in still uses dual sign-in with the picture. Are you sure the above message came from the real bank?

There are numerous ways for the bank to "fingerprint], so to speak, your computer (or smartphone) to verify that it's yours. Note that this would be a problem if someone grabbed it, but that's another story.

The simplest, of course, id looking at the IP address. That's comparable to checking the "area code" on your phone if you call them as opposed to the complete phone number, but it's a start.

Then there are lots and lots more.

For an example of this, check out the followng website brought to you by the great golk at the EFF (electronig freedom foundation)

Note that all of this is pretyt much invisble to the user...

When I signed in to my BofA account this morning, I had to answer one of my "challenge questions" before I got to the SiteKey picture, but then I too saw the notice that SiteKey was to be discontinued before the end of the year.

Perce

My home computer goes through a wireless network so the IP isn't a constant. The weather and ads I get are often for the Utah area since that's one location where IP's are drawn from the pool. A couple of times I've gotten a blacklisted IP and had to verify that I wasn't a spammer.

I haven't hit a bank that does it but we deal with one sit that has implemented two factor authentication. The first step is a conventional username/password. Then they text a one time passcode to your mobile phone.

The two factors may be something the user knows (password), something a user has (phone, thumbdrive, card), or some physical characteristic (thumbprint, retinal scan).

The site key doesn't make it for the second factor. You know your password and that it's supposed to be a picture of a platypus.

Given that no other website that I deal with has the procedure that BA currently has, apparently it's acceptable to the industry and their customers. IDK why BA would want to change it. Presenting you with an image you chose and recognize would certainly help eliminate the skunks that pretend to be the bank, have you try to log in, etc. But I don't know any other site that does that.

To be frank, all of that shit is totally fuskin' meaningless to me since I'm not liable for unauthorized accesses to any of my accounts.

Do you really want to go through the hassle of getting things back to normal after an unauthorized access to your account?

Do you really want to be in limbo in the meantime?

For the record, as if it matters, I didn't choose it. They just gave it to me, I presume from a large collection of possible small black & white images. But that part seems okay. There certainly wasn't a spoof site giving out images at the time (so that when I came back I would insist on getting the same spoof site, when the real BoA wasn't even using images) when all a spoof site would want to do was collect ids and passwords.

Everything else you have here is right on.

As I said, the purpose of the SiteKey was not for them to verify that it is me.

It was for me to verify that it is them.

I didn't see the SiteKey, so I must be in an early batch of those who lose it. OTOH, I havent' logged in for weeks, so it might not be so early.

As to IP addresses, I understand that even if one has a fixed one, as with a high speed connection, they still get reset every few weeks or months. I forget why and I forget the exact words the tech I talked to used. .

Per Edmund J. Burke:

The problem I would see is that once somebody drained my account, it would be on me to get the financial institution to put money back into the account. May sound simple on the face of it, but I would expect a major PITA and much pain.

Speaking as a long-term developer of computer applications, I would not even consider online banking or any other online financial transactions except for those against my VISA credit card.

That is not to claim any particular expertise in online development or security... but I know in my heart that there are thousands, if not tens or hundreds of thousands, really, *really*, REALLY smart people all over the world trying to figure out how to separate me from what little money I have.

It also seems like the first line of "defense" of most large corporations where online fraud is concerned is stonewalling it - denying that anything happened.

How big a PITA it is probably depends on the bank.

However paranoia is causing you a bigger PITA.

I haven't been to a branch in over a year. I do everything online, most of it from my phone. I'd hate to have to go back to the bad old days.

I can't lose anything from unauthorized transfers or debits from any of my accounts. It's likely the same for you.

I hate to add to your paranoia but you don't need an online bank account to be a victim. Wasn't it around 50 million card numbers that Target lost? Shop at Target? You say you use Visa... 8-O

Well, no. That's exactly what concerns me.

Though if you read the OP, the message also said "This simpler sign-in will be introduced on our different sites before the end of the year."

I guess I have to call them. Maybe I shoudl have changed my password last night, or at least now. Okay. I just called them (and I didn't have to wait on hold more than 5 seconds, though I did have to go through their menu a little bit, and it asked the 3 digit code on the back 3 times before I could find my code) and, assuming they didn't intercept my phone call too, she said that Yes, they have gotten rid of the siteey. She said, in different words, that it matters that the url is at the root level, with no slash or anything "behind it" as if that makes it harder to foist a phoney site on someone. Sometimes I think the customer service people are taught to bluff, that is agree that there is a problem even if they have no idea what I'm talking about. OTOH she said that she herself had gotten other calls about this very thing. No accent btw. Standard American English.

There was a short recording before she answered that said I had to let them know if I went out of town. I told her my father told me to tell anyone but friends that I was going out of town. She acknowledged the problem! She said if I left the state, they might put my card on hold. Or if I spent more money than usual, even if I stayed here.

Maybe I have heard something like that before. Anyone know?

Ah, Blank of America...

I suspect they gave up on SiteKey because its was ans extra step AND it did not improve security. Several years ago an experiment (or an actual scam, IDR now) where subjects were served spoofed signOn pages which had the wrong SiteKey image and almost all of them logged in anyway.

SiteKey had another component. In addition to selecting an image from their catalog you also entered your own caption. If the experiment had showed the correct picture but wrong caption I bet virtually everyone would have ploughed ahead.

Yeah, I can imagine that happening, even with me. LIke, I intend to by gas at the Gulf station on the corner and it's a Standard station now, but I stop anyhow.

But if it was a worrthwhile precaution and the big problem is no one uses it right, there should be some way to make people use it right.

Sure, words are less important than pictures and take more time to notice. We didnt' have words, and we didn't select our own image, and already I'm starting to forget what it was. A clothes iron maybe. If they showed me something else, I might think that was it.

It depends on the CC issuer, their policies, algorithms, and you. I've had a CC shut down only once in many years. I have had them call me to alert me to what they thought was unusual activity because I was using the card somewhere unusual. If you rarely travel and suddenly go to Sudan, you're more likely to have that occur than if you travel frequently on business, go to a lot of the same or similar cities, etc.