SiteKey to Prevent Phishing

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

I don't have time for that junk

[A+Dafa+Disciple]

When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.

Keep the password.
Keep the button (which seems like a great idea by the way).
Ditch the three questions.

Re:I don't have time for that junk

[LiquidCoooled]

(dunno why your marked as troll, but anyway)

Phishing sites will include a big button as well
clicking it will say:
Of course your on the real bank website

it does no good - i prefer the way my bank currently does it - I told them (in person when setting this up) a pass code, when logging in, they ask me for random sections of it (ie 1st, third and last digits).

The scammers must manage to fool me multiple times to gain complete access to my account details.

Useless.

[Seumas]

And those three personal questions will be:

What is your credit card number?

What is your credit card's expiration date?

What is your credit card's three-digit CCV number?

Seriously though, I don't care if you require users to use ten pieces of personal information. They'll still choose to use the same information at 90% of the sites they deal with. And there will still be people with access to that information - whether they're administrators and customer service persons or crackers who steal their database full of customer data. The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you.

Thanks, but I'll keep using the ambiguous password. It's easy to find out where a person was born or when or what their maiden name is. It's a lot more difficult to guess that their password is aPh1l@m8.

Besides, I never give those "personal question" fields real information. Then I end up not only having to remember a password for each site, but a fake maiden name, birthplace, favorite team, first pet and so on. Screw that noise.

And if you're dumb enough to think that PayPal really is sending you two dozen queries about the validity of your account per day, you should just give your money away and shoot yourself in the head anyway.

Re:Useless.

[IDontAgreeWithYou]

What is your name?
What is your quest?
What is your favorite color?

UK has had this kinda of tech for ages

[MikeDX]

"My" online bank http://www.cahoot.com/ (which is the online arm of the abbey national) has had this type of authentication for ages. everytime I login, I am asked different questions, each login is different and has worked exteremly well. Of course if you are phished you can still be tricked into giving away to the answers to the questions you gave and used during the signup process. Instead of providing your complete password, you give certain characters from the password, for example the 2nd and 6th characters, selected from a drop down box, so keyloggers are effectively rendered useless.

There are always going to be people who are too careless with their information, and there will always be other people who are very willing to take all of your personal information to clean out your bank accounts..

3 PERSONAL Questions

[Uukrul]

Patriot Act Enhanced Questions

1. Religion?
2. Who you voted last election?
3. Are you a terrorist?

Obligatory

[value_added]

BofA: What is your name?
Sir Lancelot: My name is Sir Lancelot of Camelot.
BofA: What is your quest?
Sir Lancelot: To seek the Holy Grail.
BofA: What is your favorite color?
Sir Lancelot: Blue.
BofA: Right, off you go.

SMS authentication is already being used!

[clef]

The National Australia Bank launched SMS authentication earlier this year.

Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.

It's free too.

It's highly unlikely someon has both stolen your mobile phone AND phished your details.

Hello, this is the Visa card center calling.

[Vo0k]

- Hello, this is the Visa card center calling. A I talking with mr. John Doe?
- Yes, that's me. What's the matter?
- We'd like to confirm. Are you trying to make a big purchase in a shop in New York?
- No! I'm in Washington, DC! Oh my god! My wallet is missing! My card has been stolen!
- Would you like to cancel the transaction and block your credit card?
- Yes, please! Right now!
- In order to do so, we need to confirm that you are indeed John Doe, the owner of the card and not that mr Doe's phone has been stolen.
- Please! How do we do it?
- Please give me the number of the credit card in question.
- I don't remember!
- Expiration date?
- Next year, july or june, or maybe august...
- sorry, I can't take that for an answer. Any other info? Maybe the account number associated with the card? Or maybe the PIN number?
- The PIN is 8352
- Thanks, sucker!