Slashdot Mirror

Bank of America, and probably others, use something they call SafePass as the equivalent of a CAPTCHA: they send a text message to your cell phone which you have to type back into a web page.

In the end, how strong a CAPTCHA system you use comes down to who feels the pain. A few spam emails sent by our system? Small price to pay to sign up new users for our [email|blog|whatever] service. An unauthorized transfer of $any_amount that we'll have to cover? Clamp down hard.

Or, even easier, contract with a payroll outsourcing company to provide payroll services, just like huge swaths of private industry do, and stop worrying about paying the ~170 million dollars the article references to upgrade a custom payroll system to a *new* *custom* payroll service that you'll read the same frigging article about 30 years from now, detailing how California can't find Java programmers anymore to upgrade their 100,000 lines of payroll code.

This is not a unique problem for an organization to have. Why would you reinvent the wheel when you could let a company that specializes in payroll outsourcing handle the problem for you at a cost that's probably signifcantly lower than the cost of doing it yourself? I find it terribly hard to believe that the State of California pays people in such a byzantine way that they need to roll their own solution and maintain the entire infrastructure themselves.

According to the 2006 US Census of State Employment, California employed 474,660 full & part time employees. That $177,000,000 referenced as the cost of upgrading could certainly be better spent negotiating a good contract for payroll services. Considering ~22,000 of the people listed in that census fall into the category of "Financial Administration," I bet the outsourcing would also save the state some non-trivial amount of money in the form of salaries that no longer have to be paid, saving the state even more money.

A cursory search using google shows that "small businesses" can expect to pay about $10 to $12 dollars per employee per month for outsourced payroll services. Assuming this is the best rate California could get, that 177 million dollars in upgrade costs would pay for about 2.5 years of service. Consider that they'd undoubtedly get a discount for such a significant volume of business, and the money they'd save by not having to owning, operating, staffing, and supporting their own data centers to perform this function for half a million employees, and I think there's a very good chance that outsourcing their payroll services would be a big money saver for the state.

Of course, this is all based on the (perhaps faulty) premise that any government wants to provide the most fiscally responsible solution to its taxpayers...

Unfortunately there are still a lot of legit uses for SMS. Many IT departments use SMS for contacting on-call staff. When I'm on call (one week out of every six) I have the option of getting paged via SMS's to my cell phone or carrying around a Skytel pager. A lot of folks I know prefer the SMS route since it means one less gadget they have to carry around.

Bank of America has recently rolled out a new security feature for their on-line banking that relies on SMS that they call SafePass. You register your mobile phone number with your account and when you want to log into your account they send you an SMS with a random 6-digit code. You then have to enter that along with your PIN to log in. It provides additional security since phishers can't easily get that random code off of your mobile phone, and each code expires after 15 minutes. It wouldn't surprise me if you start seeing more on-line systems using something like this to enhance security. It's basically a poor-mans RSA SecurID since most people have mobile phones these days.

This reminds me of the real early days of web sites. Just past when people were excited about being able to put "hello world" up, and when they started charging people for content.

    "Secure" pages, were usually some obscure web page under the main site. Security was that your members are was called http://example.com/members_mysecret .

    And then people started getting smarter. Oh my gosh, that .htaccess actually can actually control access. But what do we do about the crappy billing company that doesn't actually give you login information, they just tell you to protect by HTTP_REFERER? :)

    If this happened on all the super-kewl-elite hax0r sites, then the good old C&D wouldn't be doing much good, they'd be crying about how the hackers have infiltrated their security.

    It does make me feel nostalgic, thinking of the folks who thought http://example.com/members_mysecret would always protect them.

    So my advice. Suck it up, and hire someone who knows at least something about security, and make your application work securely, if you don't want the whole world to use your content. :) You can't blame Howard for your own security problem. Would "Bank of America" be able to blame the hackers, if there was a super secret file called http://bankofamerica.com/all_customer_info.3.7.2008.zip ?

From Maximizing Chapter 11 Success:

"A staggering 85% of Chapter 11 Bankruptcy cases never make it to a confirmed plan of reorganization. In fact, lack of cash causes many companies to liquidate within a few weeks after filing."

Maybe it's not all bad...

Several companies has come out of it: United, Dow, Texaco, Delta, Toys R Us, Macy's and others.

Bank of America calls it "Shop Safe"

The live network is a 30 minute call followed by a 30 day delay to unhook your Credit Card from your xbox /360. They require passwords, emails used, gamer tag, you CC#, and it's expiry date.

In the earlier article, Caveat Emptor - Use of Credit Cards On-Line, 12 angry men recommend using a bank-tied-service (like Bank of America's ShopSafe)to go online to your bank to get a new credit card number for each transaction so as to prevent fraud. Most of America is either Progressive and/or Populist (downside: Progressives tend toward elitism while Populists tend toward racism). But both are against letting corporations running unchecked. However the Bush administration has been entirely on the side of freeing Capitalism from any bounds. Thus there have been lots more business scams recently which it is against the Bush philosophy to investigate and prosecute. (just consider the mortgage scams). While a service like ShopSafe might be useful in avoiding a situation where I have to spend a lot of time refuting charges and cleaning up my credit record, I really wish that Bush's DOJ was less concerned about politics and more about aggressively pursuing business crime. The phone do-not-call list was a triumph of Progressives/Populists over business interests. I would much rather have legislation and law enforcement that can quickly track down and identity theft and credit card scams than having to carry around electronics so that I can interact with my bank for every credit card usage.

It was probably this one:

Domain Name: BANKOFARNERICA.COM
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois.html
Name Server: PNS1.TRELLIAN.COM
Name Server: PNS2.TRELLIAN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 06-sep-2007
Creation Date: 06-sep-2007
Expiration Date: 06-sep-2008

Putting the lower-case 'r' and 'n' side by side looks just like an m.

http://bankofarnerica.com/ A-R-N-erica == evil phishing site!
http://bankofamerica.com/ A-M-erica == real bank site.

mouse over them both, and see how easy it is to misread the url in the status bar.

it also had a policy to outright block all encrypted traffic that wasn't coming over port 80

I feel sorry for your friend. Https is done over port 443 not 80. (http://en.wikipedia.org/wiki/HTTPS)

Every https webisite I have tried to view over port 80 has given me an error. https://www.bankofamerica.com:80/

If you want to be shocked and appalled, check out:
http://alert.bankofamerica.com/images/client/bankofamerica/email_masthead_top.jpg

Now figure out what's wrong with that URL. (Hint: use nslookup twice. Warning: You might fall out of your chair when you realize that 63.251.12.137 resolves as b35.par3.com.)

I've reported this to the real Bank of America three different ways last Monday: by email to the abuse@ address, by talking to a customer service rep on the 1-800 number, and by going to an actual bank lobby. It's still not fixed, and I got another phishing mail that uses that URL today, so I reported it again.

p.s. Mods, help me get this some publicity so it'll get fixed ASAP. Posting anonymously to avoid karma bonus.

Even in the financial services industry, there's disagreement over what a "bank" is. Consider

• PayPal. Probably ought to be regulated as a bank, but is not.
• Western Union, a regulated money transfer service.
• ETrade Etrade is a brokerage house, but owns a bank on the side. Both operate under the "etrade.com" domain.
• Bank of America is a major bank which owns a brokerage house on the side, the reverse of ETrade.
• L. F Rothschild. Once one of the old-line banking houses of Europe, after about three mergers and breakups, they do offer financial services to the public, but they're not regulated as a bank.
• UBS Financial Services. In the US, they're a brokerage house, but in Switzerland, they're the Union Bank of Switzerland.
• Provident Credit Union A credit union performs the basic functions of a bank; it takes deposits and makes loans. But it's not a bank.
• Provident Funding, which sells mortgages, but doesn't take deposits. They're the tenth biggest lender in the US, but not a bank.
• Mellon Financial Corporation. They own banks, but are not, themselves, a bank.
• Stanbic Bank of Nigeria Are they real?

OK, who gets to be in ".bank"?

The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

The deceit is simply a man in the middle attack, and we all know this is not a new thing.

I'm a BOA customer, and I've been upset with their security for years, but it keeps getting better, which is kindof a problem in itself.

Some history here. BOA's main website: http://www.bankofamerica.com/ was only recently redirected to a https server. In fact, until recently if you even typed https://www.bankofamerica.com/ you got an error message. Before doing the basic thing like moving the http server to a https server, they introduced this site key junk.

OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.

When I go to a supposedly real BOA branch on say Main Street in YourTown, USA, there are a number of things that makes me believe its real. There are other people in there, many of which are wearing BOA nametags, and the BOA logos and stuff are all over the outside and inside of the place. Also, its expensive and difficult to put up a fake BOA storefront, and the liklihood that a fake one will generate any profit w/o getting caught is about zero (otherwise they would exist!)

Now, how much would it cost me to put up a bankfoamerica.com site? How about 15-20 of them with different typos? How much easier is it being that they can exist anywhere in the world or even outside of the world on a sattelite in space even? How hard is it to generate all of these things that look exactly like the real site w/o a secure certificate behind them to boot? Now, being that BOA changes the website all the time, AND its not on a secure server, how am I supposed to know that I'm even dealing with the same people each time?

My problem is not with BOA identifying me, its with me identifying them. So, they add site-key and all of this crap, which puts the burdon of identifying them on me, which is backwards, especially when they keep changing the rules.

When I worked in a hospital, they talked repeatedly about "universal precautions" with respect to things like AIDS and whatnot. There needs to be a set of universal precautions for doing secure transactions on the internet, and there are none.

The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.

The deceit is simply a man in the middle attack, and we all know this is not a new thing.

I'm a BOA customer, and I've been upset with their security for years, but it keeps getting better, which is kindof a problem in itself.

Some history here. BOA's main website: http://www.bankofamerica.com/ was only recently redirected to a https server. In fact, until recently if you even typed https://www.bankofamerica.com/ you got an error message. Before doing the basic thing like moving the http server to a https server, they introduced this site key junk.

OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.

When I go to a supposedly real BOA branch on say Main Street in YourTown, USA, there are a number of things that makes me believe its real. There are other people in there, many of which are wearing BOA nametags, and the BOA logos and stuff are all over the outside and inside of the place. Also, its expensive and difficult to put up a fake BOA storefront, and the liklihood that a fake one will generate any profit w/o getting caught is about zero (otherwise they would exist!)

Now, how much would it cost me to put up a bankfoamerica.com site? How about 15-20 of them with different typos? How much easier is it being that they can exist anywhere in the world or even outside of the world on a sattelite in space even? How hard is it to generate all of these things that look exactly like the real site w/o a secure certificate behind them to boot? Now, being that BOA changes the website all the time, AND its not on a secure server, how am I supposed to know that I'm even dealing with the same people each time?

My problem is not with BOA identifying me, its with me identifying them. So, they add site-key and all of this crap, which puts the burdon of identifying them on me, which is backwards, especially when they keep changing the rules.

When I worked in a hospital, they talked repeatedly about "universal precautions" with respect to things like AIDS and whatnot. There needs to be a set of universal precautions for doing secure transactions on the internet, and there are none.

For all the bad flack I've heard about MBNA, my treatment from Linux Fund has been absolutely amazing, reflecting not one bit of MBNA's bad press. I have been more satisfied with the service and benefits of this card than any of my others (and there is a LONG list). This started as a 0% APR promotion, but after the promotion ended and I paid off my debt, I started using it as a real card ... I've used this card as my primary ever since, and now my APR is quite reasonably below prime and my available credit is enough to buy a car on. To top that off, I'm currently in a 1.99% APR promotional period.

I have been very very happy with this card ... and that's even ignoring the fact that my use of this card has helped F/OSS AND has been a part of the WorldPoints program (I'm almost qualified for a cheap vacation...). Naturally, when I saw the letter, I decided to keep my membership with the Linux Fund card as long as possible and then request transition to a different WorldPoints program in May. ... though the articles linked here seem to indicate that this won't help the Linux Fund charity any (is that even legal?).

There are other WorldPoints programs out there, but BofA doesn't list any of the cooler ones on their All Cards page. A quick search for worldpoints "bank of america" pulls up a very raw list showing that there are tons of them out there, though mostly for groups I am neither affiliated with nor care about (like the various alumni programs). The only promising one was their upcoming WorldPoints Rewards for the Environment card, which is slated for release later this year (I'm not sure if this will be before June).

To the Linux Fund folks: If you jump on the Mastercard/Visa bandwagon with another major bank, I will happily take up your new card. I wouldn't go with Chase, CapitalOne, or other bad-rep banks, but good bank with a Free Software fund would be my card of choice (and while rewards stuff is enticing, I operate under the assumption that it might get me some free stationary at some point).

Why not adopt the principle of not having any URLs in the email, and instead having users copy & past an alphanumeric string into some box on the paypal website? Alternatively, they could use something akin to Bank of America's SiteKey method, where an image is presented to the user to verify that the site is the desired site. Unfortunately, at least one study (I couldn't find it quickly) has noted that a significant portion (at least 25% and perhaps > 50%) of those who use such systems still enter in their password if the image is incorrect or missing.

No, it's flawed, and I emailed them about it a couple times over the past year. The reason it's flawed is that a phisher only has to obtain the user's name to see the sitekey. Look at the site if you don't believe me. After the user puts in their username and clicks Sign In, the sitekey displays and asks for the password. It grants absolutely no more security than a simple username or password because a phisher can either brute force usernames and sitekeys in advance, or act as a simple man in the middle to get the user's password and "security question" answer.

For a while it was much worse, because their main page was completely unencrypted. They claimed that the username and password were encrypted before being sent, which is probably just as simple as a method="https://..." form or some javascript, but the real problem is that *any* man in the middle could easily replace the initial page with one that does anything they want, including stealing the username or password and redirecting to a "real" phishing site to steal the sitekey information virtually undetected. The victim would always have to view the source of the main bank of america page in order to make sure there was no javascript or other changes to the page that violated security. For several months I just entered a random username and password on the front page and waited for the redirect to an actual SSL page on the site before using my real name and password.

Whoever runs the bankofamerica site is a fool, and I'm surprised it took this long for anyone else to notice and publish the details. Turning off SSL for the main page went against everything users have been trained to look for in site security. They have since turned SSL back on (apparently not everyone was completely brain-dead) but sitekey is still annoying and useless.

I you go to http://www.bankofamerica.com/creditcards/ pages and click "View all cards", click one of the cards, click "Apply now", click "Sign in".

It then gives you a page asking for your passcode without bothering with the site key junk.

So not only do the customers not pay any attention to it, the bank itself doesn't bother with it either.

The system is pretty badly flawed, even if the user does everything correctly. I don't have time to give a detailed analysis, but here are some points. First of all, the flow of the login is a little confusing, especially since it is different if you are on a PC that you haven't used before with the system. The BoA homepage won't let you connect via SSL. (Yeah, everything gets encrypted before you send, but it would be better to allow users to start off with https://bankofamerica.com/ ) The secret questions are pretty easy to guess, and the answers aren't hidden as you type them in anyway. The system does little to protect you from a man-in-the-middle attack if you end up at a phishing site -- all they have to do is prompt you for a secret question instead of showing you your "sitekey", and then they are as good as in. I also don't like having session information stored on my computer via the Macromedia flash objects. There are some other issues that I don't recall offhand.

I think Bank of America could have found a much better system than the Passmark Sitekey junk.

What the hell is "fraudulent[ly] report that an authorized charge... is unauthorized"? Can I even *suspect* an unauthorized charge? I mean, if you call your credit card company to dispute a transaction, it is assumed you suspect the transaction is unauthorized, right? 'Dispute authorized charges' is an oxymoron to me.

BTW, here (PDF warning) is a sample form to dispute unauthorized charges which listed some valid dispute reasons. It is for BoA government cards, but AFAIK the conditions are the same for all cards from all companies.

I've spent quite some time teaching basic computer/Internet usage to a wide variety of people; some as young as 5, some in their 90s. At some point you realize that there are actually two issues with regards to Internet safety. The first is securing your machine from malicious attacks (viruses, spyware, malware, etc). The second is securing yourself from social attacks by others.

You will probably find a lot of information on the first kind of safety - this is what most tech people will talk about when speaking of Internet security. There are a lot of people much smarter than I am that could tell you a lot of great ways to secure yourself. My basic advice to people was always:
- If you have high-speed Internet, buy a router with some basic firewall abilities (typically between $50 and $80 CDN)
- invest in some antivirus software. Run it at least once a week. If you have a thick client email application, configure your antivirus application to check your mail as it comes in.
- Install a spyware application. Tell her to run it once a month.
- If it's an option, buy a Mac. I would avoid installing linux simply because when Edna from the bridge club comes by to help her do something, Edna probably won't know anything about Linux, but she may know some of the more mainstream OSs/applications.
- Install a browser other than IE. Do your best to prevent her from accidentally using IE.
- Do not let her use Outlook or Outlook express. By itself it's not responsible for Internet security, but it is inherently more susceptible to problems than other thick clients.
- if at all possible, partition her drive into a data partition and an OS/Apps partition. That way you can easily reinstall everything if yo have to with only minimal data loss.

That's all that's really needed. The harder part of Internet security is actually getting the individual to act in a secure manner. Start by explaining that communicating over the Internet is just like communicating in real life. Make her feel that this is an extension of what she has been doing for the last 80 years, not some new fangled thing that has just started. That will make her feel a little more comfortable with what she is doing. With every suggestion, relate it to something that she already understands. Some basic guidelines:

- There are places that you can safely go all of the time, and there are places that you should probably never go to (insert name of seedy part of town here).
- There are people that you can trust on the Internet, and there are lots of people that you cannot trust.
- Never ever every give anyone money just because they ask for it. Only give money to people in exchange for services or products that *YOU* asked for (not that they think you need). Obviously some room for charity here, but do reinforce this point. The elderly are the target of most of the scams that try to take money for no good reason (Think "I'm a Nigerian prince that needs to borrow..."). My wife works at a bank and stops about one old lady every six weeks from emptying her bank account so that she can give it to someone in Nigeria/Egypt/Publishers Clearing House, etc.
- When providing information to people, it's always better to go to them then to have them come to you. If someone from Bank of America wants you to log into your account to check something, open up your browser and type in http://www.bankofamerica.com/, never click on a link that they provided. Yes, there is a difference. No, you probably won't be able to tell. Relate this to the idea that when your bank calls you for financial information it is always a better idea to call them right back than to provide information directly. She should initiate all transactions.
- When asked to fill out a web form, always ask these three questions:

The big question is "how do you know the intent of the user?". Did I mean to type in: http://www.phishersite.com/BankOfAmerica/phishme.h tml instead of https://www.bankofamerica.com/login.cfm? You can't. And trying to keep track of ALL the good sites is a sisyphusian task.

Brian

Too late.

Bank of America | Bank of America and MBNA Merger Information
Our commitment to our customers Bank of America Corporation and MBNA Corporation have merged, and MBNA is now part of Bank of America. In bringing the organizations together, we are creating a company that will provide our customers with a greater range of financial solutions than ever before.

Nothing is said about them ending ShopSafe, so there's a chance you might be okay. Maybe.

Looking at the shift from Bank of America to Bank of India, I feel it is a pretty tasteless and incompetent change for the worse.

I am pretty sure that most customers will probably vomit en masse and leave for another bank.

Sure. Rather than a news account I'd direct you straight to the horse's mouth, as they have more details: http://www.bankofamerica.com/newsroom/presskits/vi ew.cfm?page=hispanic

The banks are somewhat complicit in this, I think, by using needlessly complicated URLs. I use Bank of America, for example, which I can access online at http://www.bankofamerica.com./ I click on Sign In, which redirects me to https://sitekey.bankofamerica.com/sas/signonSetup. do. After signing in, I'm redirected to https://onlineeast2.bankofamerica.com/gobbledygook /.

This is an easy one, especially for us geeks, because we know how to read a URL. But those URLs look like three completely different sites to the average user. In some cases, they actually ARE different sites, such as when a bank uses a separate company to provide some service.

I recognize that Bank of America is using the onlineeast2 subdomain instead of www in order to do load balancing, but aren't there other ways? Or, if not, couldn't they use www-1, www-2, etc., so the URL at least looks like www.bankofamerica.com?

The banks are somewhat complicit in this, I think, by using needlessly complicated URLs. I use Bank of America, for example, which I can access online at http://www.bankofamerica.com./ I click on Sign In, which redirects me to https://sitekey.bankofamerica.com/sas/signonSetup. do. After signing in, I'm redirected to https://onlineeast2.bankofamerica.com/gobbledygook /.

This is an easy one, especially for us geeks, because we know how to read a URL. But those URLs look like three completely different sites to the average user. In some cases, they actually ARE different sites, such as when a bank uses a separate company to provide some service.

I recognize that Bank of America is using the onlineeast2 subdomain instead of www in order to do load balancing, but aren't there other ways? Or, if not, couldn't they use www-1, www-2, etc., so the URL at least looks like www.bankofamerica.com?

The banks are somewhat complicit in this, I think, by using needlessly complicated URLs. I use Bank of America, for example, which I can access online at http://www.bankofamerica.com./ I click on Sign In, which redirects me to https://sitekey.bankofamerica.com/sas/signonSetup. do. After signing in, I'm redirected to https://onlineeast2.bankofamerica.com/gobbledygook /.

This is an easy one, especially for us geeks, because we know how to read a URL. But those URLs look like three completely different sites to the average user. In some cases, they actually ARE different sites, such as when a bank uses a separate company to provide some service.

I recognize that Bank of America is using the onlineeast2 subdomain instead of www in order to do load balancing, but aren't there other ways? Or, if not, couldn't they use www-1, www-2, etc., so the URL at least looks like www.bankofamerica.com?

There are some users who might not notice that, but some aren't s obviously bad as that. What if they used http://bankofamerica.secure.com/ , do you expect everyone to realize that there is a huge difference between http://secure.bankofamerica.com/ and http://bankofamerica.secure.com/ ?

Yes, but the main page has boxes for both your ID and password. By the time you get to the sitekey page and see that it's wrong/missing, the phishing site already has your login information. That makes the whole thing just a pointless waste of time and an annoyance to have to enter the password a second time.

>The best I have seen passwords work is at Bank of America's online banking
So, ... What are the higher standards of your data Champion?
opinion->Last time I checked, a Pin of 4 characters would only meet elementary school standards.

"What is an Access ID and what will it allow me to do? An Access ID is a code comprised of 6 to 20 numbers. A PIN is a code comprised of 4 to 7 numbers. When those codes are used together, you can do all of the following by telephone, PC or in person: (1) obtain information about your accounts (2) transfer funds between your accounts (3) obtain other services, such as stop payments, check reorders, or copies of checks and statements.
©2001 Bank of America Corporation."

Source Bank of America http://www.bankofamerica.com/accessiblebanking/pdf /91-11-2500B.pdf
This doc is webbot enabled btw: eg if you view the pdf block adobie outbound packets cause some one is watching.

Keys and tokens are nice, but you have to realize that the trojan dictates which info goes from bank to user and from user to bank. It can block, forge or manipulate anything supposed to go from either end to the other.

I have one piece of software that requires 2 hardware dongles attached to my machine to ensure that I paid enough money for the software.

I'm not suggesting anything that difficult, but how difficult would it be for a standard much like the magstrip cards and private network that exists for credit cards for having a "card" or something for the computer that adds a level of security.

Imagine if it was something that could be plugged into any USB or Firewire port, that would do a challenge response with the bank's site and both you and the bank are authenticated?

No. Online banks are not secure. They look like any other website, and I don't consider every website secure enough to do money with.

Take a look at: http://www.wachovia.com/ and before a month or so, here: http://www.bankofamerica.com/index.cfm The BOA site used to have a password on their plaintext unsecured front page. Wachovia and others still do.

Without at least a https login url, I have no reason to expect that the page I am at is my bank. Could a nasty guy at my ISP give me a false IP address for the name and I'm on a website overseas without any FDIC or whatever kind of legal assurance? NO. I however, am much more informed of these things. Most people would just assume that anything with their banks name on it would be OK. If the site looked different, they would assume it was a design change.

A dongle issued from my bank that verifies both my identity and that of the website would be welcome in my book. I don't just type in a username and password to buy something at the store where I can see a human being. I have to show a stamped card with a hologram over the last 4 digits. They are relatively easy to reproduce, but its very uncommon for their to be phony credit cards out there. Stolen ones are often recognized quickly.

With a dongle, access to my account could be tracked, because it is tied to a piece of hardware that supposedly can't be in more than one place at a time, and certainly not likely for it to be used all over the world in a days time. It could be revoked, and I have to show up in person to get a new one issued, just like I do with my check card when it expires. It also has my picture on it. I don't mind having my face in public and a picture on my bank card at the same kind.

http://www.bankofamerica.com/ switched to sitekey months ago, and they still ask for your Passcode on their front page, before you get to see your sitekey image. Whoever is in charge there doesn't understand the point of what they're doing.

After all, we now see that Bank of America is on its way toward patenting the ceiling function. See at the bottom? Patent pending.

Here's how it works:

1. You start logging in with your account ID, but not your password
   
2. If you haven't logged in from this machine before (based on cookies), one of three personal questions is asked, and you have to give the correct answer before moving on to the next step).
   
3. If you've logged in from this machine before or you answered the question correctly, an image you selected previously is displayed to you, along with a message you created. You then enter your password and are logged in.
   

The three personal questions are chosen by the bank. There's actually three sets of possible questions, and each set has different questions. You choose one question from each set, and none of them are dumb things like "what's your password?" or "what's your CCV code?". Some of them are pretty easy to find out, but most phishers don't have time to figure it out.

This does make phishing a lot more difficult. Now, to phish, you have to be set up to ask the user for his account ID, send it to the bank to get the correct challenge question, ask the victim the question, supply the answer to the bank, get the image and message and then finally get the password. That's a lot tougher than a screen that asks for user names and passwords and then displays a login error and redirects to the bank website. It's also more traceable, because you have to interact with the bank website, meaning that they have a bit more to go on to track you down. Finally, the user will be tipped off that something's going wrong, because they know they shouldn't be asked those questions from their home computer. That's why the "personal questions" are so important. It stops the phisher from completely automating things and just taking the account number and grabbing the image and message from the bank's website, because they won't have the cookie needed to get the proper image. Obviously there are holes in the scheme and phishing will still possible, but this is a simple solution that raises the bar a lot.

http://www.bankofamerica.com/privacy/passmark/

Since I am a Bank of America customer, I decided to go to their website to read their official statement about the breach. I was surprised to find no mention of the incident. There is a Privacy and Security section as well as a news room.

In the end I decided to ask them about it:

I recently learned that more than 670,000 bank customers may have had their account information stolen, and that at least 60,000 were customers of Bank of America. It is alarming that I can find no mention of the incident anywhere on your web site. It would be reassuring to hear an official company statement explaining the nature and the severity of the breach. Here is the URL of the news article I read: http://money.cnn.com/2005/05/23/news/fortune500/ba nk_info/index.htm

If they reply with anything substantial I'll try to follow up here.

Since I am a Bank of America customer, I decided to go to their website to read their official statement about the breach. I was surprised to find no mention of the incident. There is a Privacy and Security section as well as a news room.

In the end I decided to ask them about it:

I recently learned that more than 670,000 bank customers may have had their account information stolen, and that at least 60,000 were customers of Bank of America. It is alarming that I can find no mention of the incident anywhere on your web site. It would be reassuring to hear an official company statement explaining the nature and the severity of the breach. Here is the URL of the news article I read: http://money.cnn.com/2005/05/23/news/fortune500/ba nk_info/index.htm

If they reply with anything substantial I'll try to follow up here.

Since I am a Bank of America customer, I decided to go to their website to read their official statement about the breach. I was surprised to find no mention of the incident. There is a Privacy and Security section as well as a news room.

In the end I decided to ask them about it:

I recently learned that more than 670,000 bank customers may have had their account information stolen, and that at least 60,000 were customers of Bank of America. It is alarming that I can find no mention of the incident anywhere on your web site. It would be reassuring to hear an official company statement explaining the nature and the severity of the breach. Here is the URL of the news article I read: http://money.cnn.com/2005/05/23/news/fortune500/ba nk_info/index.htm

If they reply with anything substantial I'll try to follow up here.

Since I am a Bank of America customer, I decided to go to their website to read their official statement about the breach. I was surprised to find no mention of the incident. There is a Privacy and Security section as well as a news room.

In the end I decided to ask them about it:

I recently learned that more than 670,000 bank customers may have had their account information stolen, and that at least 60,000 were customers of Bank of America. It is alarming that I can find no mention of the incident anywhere on your web site. It would be reassuring to hear an official company statement explaining the nature and the severity of the breach. Here is the URL of the news article I read: http://money.cnn.com/2005/05/23/news/fortune500/ba nk_info/index.htm

If they reply with anything substantial I'll try to follow up here.

Why is there no link to Bank Of America in the summary?

This was a wire transfer, rather than typical consumer service like online bill payment.

I suspect that this customer has a commercial banking account and is using commercial banking services. For instance, see this URL:

http://www.bankofamerica.com/deposits/checksave/in dex.cfm?template=lc_faq_wire#question2

There's no mention of online wire transfers.

Also, at the top of the page you cited, it says:

Online Banking Guarantee
For Consumers and Sole Proprietors

$0 liability

With our Online Banking service, you can be confident that your Bank of America accounts will be secure and protected. We guarantee $0 liability for any unauthorized activity originating from Online Banking, including Bill Payment. Read Your Responsibilities for information about reporting unauthorized transactions to preserve your rights under this guarantee.

While it may be true that many individuals would leave a bank for charging a fee they didn't agree with, I entirely disagree with the notion that all banks are equal. I previously had Commerce Bank (midwest bank) and had nothing but problems with them. At one point and time I had 5 accounts with them and still wasn't more than just a number to them. I sent them packing and switched to Bank of America when I moved and haven't looked back. I'm very impressed with BOA and I highly recommend them. Everyone I know that has BOA is also quite pleased. My parents have a couple accounts at Citizens State Bank (probably a commonly reused name). They've had numerous problems over the years and have swore they'd leave on many an occasion but haven't. They have a construction loan at another local bank and have had nothing but positive experiences with them. Not all banks are made alike. Contrary to popular belief the smaller banks can be less personable and more of a pain in the ass than the large conglomerates like Bank of America (#2 in the US) and visa versa. Nothing is consistent.

FYI, Bank of America works just fine in Firefox and Mozilla.

I find it interesting that this research is just coming to fruition around the same time that Check 21 is being passed in to law. Coincidence? I think not.

You know, I hear this a lot, even from people with the same debit card I carry. I often hear it after I tell a cashier to treat it as a credit card, from someone who's looking at me like I'm a fool who's just parted with his money.

It may be that Visa gets some money, but I don't care. It doesn't come out of my pocket.

Is there a difference between signing a receipt and using my PIN to authorize a Check Card purchase?

Your options may differ depending on the merchant. Some merchants may require a signature (such as many restaurants), while others may offer you the option of 'Credit' or 'Debit/ATM' when processing your purchase. Usually, if you select 'Credit', you will sign a receipt to authorize your purchase. If you select 'Debit/ATM', you will use your PIN.

Whether you select 'Credit' or 'Debit/ATM', the purchase amount will be deducted from your Bank of America checking account. Generally, there is no transaction fee for either type of transaction. (Merchants may charge a fee)

So sayeth my bank.

• If you read the article, it pointed out that ATMs cost banks money and that the number of human tellers and bracches has increased in spite of the popularity of ATMs.
• The services you specified that banks charge you for (when using a human teller), such as casheir's check,s are services they have charged for, for as long as I remember (unless you have one of their "special" accounts or keep a ton of money deposited with them in savings, CDs and what have you).
• Nothing is free and banks are in business to make money, so they will do what they can to make it. Frankly my biggest beef with banks are the obscene fees they chargee for checking overdrafts. Their cost is a fraction of what they charge most customers.. I can live with fees for using a human when automatoin can do the same job. It's the other stuff that gripes me.
• Thanks to Debit Cards (as the article pointed out) I hardly use ATM's anymore. If I need cash I make a purchase with my Debit card, enter my PIN on the merchant's terminal (generally @ a Grocery Store) and ask for cash back. I was going to the merchant anyway and it saves an extra stop at the ATM.
• I'm surprised I've not found any other major bank (besides mine) that offers both free internet banking and free online bill paying. Most charge for at least one of the two services.
  

I could care less about either program. My Bank has free online banking and bill pay. I've played with both programs in the past and found them overkill