- FTC targets prerecorded telemarketing drivel
- 16 hot roles for IT pros
- Securing SSLVPN with client certificates
- 13 desktop-virtualization tools
- 10 must-have virtualization tools
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Senior Technology Consultant Mike Drabicky has been working in the computer industry for more than three decades in programming, system and network management and design, data center management and database security and compliance. He’s a regular and welcome correspondent and I was so taken with his most recent comments that I asked him for permission to publish them. Here, with slight edits, is his discussion of a new wrinkle in authentication ("I" refers to Mike).
* * *
I have a Bank of America (BoA) credit card and use the bank's Web site all the time to check charges, pay bills and all those normal online activities. As one who deals with security as part of his job, I am always concerned about phishing and phony Web sites masquerading as the real thing, all dedicated to taking that which is not theirs to take: my personal information.
A year or so ago, BoA offered the SiteKey, a second level of authentication. With this, you would pick an icon representing something of interest as a way of authenticating the Web site and only then provide a password to access your account. Mich published a couple of articles last April about SiteKey.
More recently, BoA offered another front-end security option: SafePass, a text message code sent to your cell phone. Upon request, BoA will send a six-digit code to your cell phone via text message. When you enter the code, BoA validates the code and allows you to proceed to the icon/password verification page just described. The token expires in 10 minutes. They also offer an alternative mechanism of authentication should you be in a place unable to receive the message on your cell phone.
There are a number of really positive things to say about this scheme:
1. It is low-cost. No tokens to tote, no tokens to lose, no software to load, nothing extra needed other than what you very likely already have: a cell phone.
2. It is easy to understand and use. There’s nothing complicated about this: anyone accessing their Web site should be more than knowledgeable enough to appreciate the simplicity and elegance of this system.
3) It speaks volumes for BoA. This tells me that Bank of America understands the security risks of doing credit card business on the Web and has taken steps to make sure the person on the other end of the browser is indeed who they say they are.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comments (7)
Look againBy Anonymous on February 6, 2008, 3:14 pmit is trasnaction based not session based. Just required for high risk activities, not every time you sign in (unless from a unrecognized computer)
Reply | Read entire comment
How disappointing this is.By Anonymous on January 16, 2008, 1:00 amHow disappointing this is. Bank of America had an opportunity to make an improvement, yet this is still completely vulnerable to malware. They should have opted...
Reply | Read entire comment
Ypu shoudl understand it aBy Anonymous on January 14, 2008, 5:17 pmYpu shoudl understand it a little more before you slam it. The Code expires so most phising and Spyware would capture already expired tokens.
Reply | Read entire comment
No More Secure!By Chibi on January 5, 2008, 4:33 amI have not used the SafePass system, but I do not believe that it will make online banking any more secure. In addition to stealing a username and password, a phishing...
Reply | Read entire comment
This hardly seems low-cost.By Anonymous on January 4, 2008, 9:32 pmThis hardly seems low-cost. Instead, BoA is just passing the cost of the increased security off to the customers. I'd much rather pay $5 for a real token than face...
Reply | Read entire comment
View all comments