Effective, but Not Intrusive

Bank of America has been battling phishers since early 2004, Claypool says. The bank spent several months during that year conducting focus groups and online surveys to figure out what type of protection customers would tolerate, something that was not as intrusive as a hardware token—which can be inserted into a PC to generate one-time passwords—but that would still assure customers they were doing business on the bank's Web site and not one thrown up by fraudsters.

"Our big concern was that people would [lose confidence] and stop using online banking and bill paying," she says.

The bank decided to use software to fight phishing and briefly considered developing its own. Instead, it went with SiteKey, which was developed by startup PassMark Security of Menlo Park, Calif.; the package closely resembles what the bank's customers said they wanted, Claypool says.

SiteKey identifies the bank to customers and customers to the bank before allowing them to log in to their accounts.

Customers who want to bank online now must first choose an image from an archive, name that image, and create answers to various secret questions (such as, what high school did you graduate from?) that the bank can use to verify their identity. The software will not let them enter their password into the bank's Web site until they see and acknowledge their image, a sign they are on the real banking site and not a fake one.

SiteKey went live for employees by April 2005, and the bank began rolling it out to customers state by state starting in June.

But despite the push, it is still not available to all customers. The anti-phishing software is tied to larger projects to modernize and consolidate the bank's back-end systems and add authentication across the front end, according to Louie Gasparini, who designed Wells Fargo's Internet banking system in 1996 and is now the chief technology officer of PassMark. Bank of America spokeswoman Riess, however, says installing SiteKey in the Northwest is unrelated to the bank's other systems work. Regardless of the reason, customers in the Northwest are not the only ones waiting for SiteKey. Also still to be integrated are customers from MBNA, the credit card processor that Bank of America acquired in January in a deal worth $34.2 billion, Claypool says.

Even though SiteKey is not fully installed, it has already cut the number of successful phishing attacks against the bank, according to Claypool, although she won't say by how many. Attempted phishing attacks have not decreased.

The Tower Group, which analyzes the financial services industry, estimates banks have to eat about $120 million a year in phishing costs, which represents 4% of their direct losses to fraud.

SiteKey also works behind the scenes to create a "risk score" for the bank to identify its customers. Among other things, the software tags customers' PCs by planting two separate and unique cookies. One is an ordinary browser-based cookie; the other is a Macromedia Flash shared object that stores identifying details of customers, such as log-ins, in a way that prevents most customers from finding or deleting them, Claypool says.

As customers try to log in to the Web site, Bank of America decides how risky it is to let them in—a process that SiteKey's rules engine constantly refines by analyzing blind data sent by the bank on customers' specific machines and their behavior patterns. Whenever a customer does appear to be risky—perhaps because he is logging in from a different computer or at a different time of day than his usual time—the bank can use the secret questions to challenge his identity and make sure his user name and password are not stolen.

Using SiteKey has not been problem-free for the bank. Claypool attributes the jump in customer service calls to "irrational customer behavior," such as answering the secret questions with nonsense, that the bank didn't anticipate. The bank declines to specify the cost of SiteKey or the actual number of increased complaints.

"[We told customers] here's how [SiteKey] works," Claypool said at the conference. "We couldn't make it any simpler."