At first I thought this was a joke:
Bank of America will require Internet clients to register their computers and assign a digital image, such as a photo of a pet, to their accounts in an effort to cut down on fraud, the bank announced.
The free service, called SiteKey, lets clients pick an image, write a brief phrase and select three challenge questions.
The image will appear on the site every time a customer has to enter a password.
Apparently, this is serious. I’ve heard stupid security proposals before, but this may be the stupidest ever. Does someone really think that confused Internet users would fall for fewer phishing scams if they had a picture of a puppy in front of them? I shudder to think that it might take off and I will have to upload a picture of my cat every time I want to register for something online. I would be tempted to use this picture:
(Via Backup Brain)
Update: In the comments, Prof. Michael Froomkin says I’m missing the point and this is a good thing. I’m a B of A customer, so I guess I’ll get a chance to see this feature in action soon.
Ed Bott 
Ed, my hat is off to you on windows stuff, but when it comes to security protocols I think I can pull rank.
And, I’m afraid you’ve totally missed the point on this one. You don’t have to upload a cat pix every time you log in. On the contrary: you do it exactly ONCE, when you establish the relationship.
From then on, the bank shows you the picture when it asks you to log in — before you enter your password or other personal info. If there is no picture of your cat, then you know it’s not the bank, but actually a phishing scam — since the phishers have no way to know what unique picture you previously gave the bank.
So this is not at all stupid. Instead, this is actually a very good idea, and if widely used would make phishing much rarer.
Fair enough, Prof! My concern is that each site I visit regularly will want a similar personalization. Or worse, a dissimilar personalization. π
I guess I’m worried that the naive user won’t understand that B of A has a picture of Fluffy but Schwab doesn’t, and my utility company uses some completely different security scheme. So Mister Phish says, “We’ve lost your cat picture. Please log on with your user name, password, and cat picture to re-validate your account.” Will my Great Aunt Sadie give them the cat picture?
But you say this is a good thing, and Bruce Schneier says I’m wrong about the virus-that-encrypts-files thing. So maybe I need to look at all this stuff more closely.
I’m a B of A customer, so I guess I’ll get to see this stuff up close and personal soon.
Can I still use the picture of Bill the Cat?
What I think is silly about this, though (and I’m not a B of A customer, so I won’t get a chance to experience it unless this spreads), is that I have a lot of pictures of my cat. Many of them are online. And I’m not necessarily going to remember exactly which one I gave to the bank.
What’s going to stop some phisher from grabbing pictures of cats and including them in their spam? Hey, just go through Flickr with a reasonably good keyword (cat? dog? pet?), figure out who posted the picture, see if you can find that person’s address in your database of spam addresses, and you’re set.
This is something that can be hacked by just throwing sufficient computer power at it, and that’s something that the phishers have no shortage of. In order for this scheme to work, you have to ask people not to put pictures of their pets online, and it’s a little late in the game for that.
I am a BofA customer. It’s an interesting idea.
I think the idea is to use a uniquely personal photo, but not that personal. I may use a picture of my desk. I don’t know. Maybe pick a photo of your china pattern. Even something from a favorite TV show or comic strip. Whatever. I don’t think spammers could possibly guess what image someone will use when they register on the BoA site.
It appears that the point of the picture isn’t “show this picture and prove that it’s really you” it’s “see this picture and know that you’re really at the bank’s site.” So if a phisher had the picture it wouldn’t make a difference. The protection is so the victim won’t fall for the phisher scheme in the first place because when he/she gets that email asking for the lost information, they’ll go to the fake site, won’t see kitty and they’ll know (hopefully) it’s a scam. The phisher would have to first scam you for the picture, then scam you for the personal login info matching your picture to your fake site. Nothing’s impossible but doesn’t seem likely.
Just an FYI:
You can’t upload your own picture, rather you select an image from a gallery of bank-approved pics.
“…select an image from a gallery of bank-approved pics.”
Well, that greatly decreases the utility. Depending on how big the gallery is, the phisher can simply send a message to each customer with a random (or always the same) picture selected from the very same gallery.
Let’s pretend there are only 10 pictures. If P. H. Isher always sends picture #1 (puppy chewing on bone), then roughly 10% of the victims will have a match. I don’t know the response rate to phishing scames right now, so can’t say if this will make it better or worse.
Granted, BofA can use 100 or 1000 pictures. That cuts the match rate down to 1% or 0.1%. Still, just like Spam, you only need to a very small success rate to show a profit.
Here’s an article that explains it well: Link.
I work for a hosting company and see these phishing scams all the time. I’m happy to see any action taken from the banks on this.
The initial setup will get customers thinking about phishing scams. I believe that the ones that fall for this simply are unaware of what’s going on.
The second part where several security questions have to be answered if the access is from a non-registered system will really make things difficult for phishers should they want to login to the bofa site. The one problem I see here is that I don’t believe that they would do that anyway. Typically the phishing scam site asks for card #, pin, CID, Social sec. With that info I assume they make online purchases, print bogus ATM cards, etc.. However I’m just guessing since I’ve never seen or studied this aspect.
Interestingly I have never seen a bofa phishing site. Usually it’s Suntrust, Bankone, Usbank, Keybank, Washington Mutual. and the most popular: Paypal
I’m not positive why these are phished more than others, maybe coincidence or maybe because their security is weaker than others.
Another thing that is so stupid that it makes me sick is that most of these banks allow unrestricted hotlinking of their images even from their SSL domains. This allows the phishing site to be hosted on a low bandwidth connection (someone’s infected pc usually) since all that needs to be served is html. Also in the browser stutus area it will correctly show (downloading data from https://secure.paypal.com) which plays into fooling the customer into feeling the site is legit.
This is BEYOND stupid. The first time you sign on to BOA’s web-site on a new computer (I do it quite often as I travel and use different computers nearly every day) it asks you for your user-id and password.
THEN (step 2) it prompts you to answer your challenge question.
THEN it presents your site-key so you can verify that the bank is YOURS.
WHAT???? If this was a phishing site they now have my userid, my password, and my challenge question answer … but NOW I can see that it’s a fake site. Oh good.
I may be a former Bank of America customer soon. If this got past them I can’t imagine what else they missed.
Like most people I don’t like to be forced to change, especially when I don’t see the need for it. Plus I already have enough difficulty remembering all of the different passwords that I used, or even where I wrote them down. So when BofA told me that I was going to have to change, I was concerned that I would have to type something extra each time. The good news is that I don’t have to type something extra when I use the same computer from home. The bad news is that I’m not sure what I’m getting from this.
Perhaps BofA needed to do this because they don’t use SSL on their home page. SSL requires that the web server authenticate itself to the client before the client types the password. This is what SiteKey does.
Not sure what you are doing. I still need to type extra things on my home computer. (Such as dog’s maiden name, where I was born, etc.)