- Microsoft Windows chief decries standards grandstanding
- The 5 best, and 5 worst, features of Google Chrome OS
- Federal government using PS3 to crack pedophile passwords
- 10G Ethernet cheat sheet
- Top 10 free Windows tools for IT pros, at a glance
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
Senior Technology Consultant Mike Drabicky has been working in the computer industry for more than three decades in programming, system and network management and design, data center management and database security and compliance. He’s a regular and welcome correspondent and I was so taken with his most recent comments that I asked him for permission to publish them. Here, with slight edits, is his discussion of a new wrinkle in authentication ("I" refers to Mike).
* * *
I have a Bank of America (BoA) credit card and use the bank's Web site all the time to check charges, pay bills and all those normal online activities. As one who deals with security as part of his job, I am always concerned about phishing and phony Web sites masquerading as the real thing, all dedicated to taking that which is not theirs to take: my personal information.
A year or so ago, BoA offered the SiteKey, a second level of authentication. With this, you would pick an icon representing something of interest as a way of authenticating the Web site and only then provide a password to access your account. Mich published a couple of articles last April about SiteKey.
More recently, BoA offered another front-end security option: SafePass, a text message code sent to your cell phone. Upon request, BoA will send a six-digit code to your cell phone via text message. When you enter the code, BoA validates the code and allows you to proceed to the icon/password verification page just described. The token expires in 10 minutes. They also offer an alternative mechanism of authentication should you be in a place unable to receive the message on your cell phone.
There are a number of really positive things to say about this scheme:
1. It is low-cost. No tokens to tote, no tokens to lose, no software to load, nothing extra needed other than what you very likely already have: a cell phone.
2. It is easy to understand and use. There’s nothing complicated about this: anyone accessing their Web site should be more than knowledgeable enough to appreciate the simplicity and elegance of this system.
3) It speaks volumes for BoA. This tells me that Bank of America understands the security risks of doing credit card business on the Web and has taken steps to make sure the person on the other end of the browser is indeed who they say they are.
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (8)
RE: Bank of America authenticates via mobile phoneBy jbl-az on January 3, 2008, 9:37 amThe "sitekey" image and phrase do not add appreciably to security; like user name and password, they are something you know, still single-factor authentication....
Reply | Read entire comment
The sitekey could mitigateBy Anonymous on January 3, 2008, 10:28 amThe sitekey could mitigate the majority of automated attacks on user/password scheme (at least for now!). And this as rather low cost, additionally it's easy to...
Reply | Read entire comment
This hardly seems low-cost.By Anonymous on January 4, 2008, 9:32 pmThis hardly seems low-cost. Instead, BoA is just passing the cost of the increased security off to the customers. I'd much rather pay $5 for a real token than face...
Reply | Read entire comment
No More Secure!By Chibi on January 5, 2008, 4:33 amI have not used the SafePass system, but I do not believe that it will make online banking any more secure. In addition to stealing a username and password, a phishing...
Reply | Read entire comment
Ypu shoudl understand it aBy Anonymous on January 14, 2008, 5:17 pmYpu shoudl understand it a little more before you slam it. The Code expires so most phising and Spyware would capture already expired tokens.
Reply | Read entire comment
How disappointing this is.By Anonymous on January 16, 2008, 1:00 amHow disappointing this is. Bank of America had an opportunity to make an improvement, yet this is still completely vulnerable to malware. They should have opted...
Reply | Read entire comment
View all comments