'More Cats, Please'

But some customers still treat SiteKey as an annoyance. Fully 96% waited to sign up until the bank made it mandatory, says Claypool. They rush through registration by typing random answers to the secret questions, and then have to call customer support because they can't remember what they typed. Or they share images with family and friends without sharing their answers to the secret questions, which means more calls to customer support. So far, the bank has resisted allowing customers to upload their own images, even though customers have told the bank there are not enough pictures of cats. "More cats, please," one customer wrote. But customers might get confused and call customer support, Claypool says. Or they might try to upload pornography.

For all banks, there's a sense of urgency about online fraud. U.S. banks are facing a Jan. 1 deadline to provide secure online access to their customers' accounts. That's when banks are supposed to comply with guidelines issued last October by the Federal Financial Institutions Examination Council (FFIEC), whose five government agencies, including the Federal Reserve and the FDIC, will require banks to defend the security of their online authentication schemes. No one is sure what the FFIEC auditors will be looking for, but allowing customers to enter their accounts with only a user ID and password, as Bank of America used to do before it installed SiteKey, is expected to cause a bank to fail its audit. Claypool says Bank of America will meet the deadline.

Meanwhile, phishers are evolving their tactics to try to beat SiteKey, she says. So, Bank of America and PassMark keep working to advance the software. One big hole today is that if a customer's PC is already infected with a Trojan, virus or worm, current versions of SiteKey are unlikely to detect it when people log on to their account. "If malware is on your machine, it's much more difficult for everybody," says PassMark's Gasparini.

Claypool adds that if Bank of America keeps tinkering with SiteKey—by creating smarter secret questions, automatic resetting of passwords, and wording to impress upon customers that they have to take SiteKey seriously—about 65% of the calls to customer service could be eliminated.

Someday, however, even two authentication factors—an image plus a password—will no longer be enough to beat the fraudsters. PassMark, which in April was acquired by RSA Security in Bedford, Mass., is preparing technology for that day. The company expects that banks will have to add a third security measure and will use customers' phones to authenticate them by voice. But then PassMark expects voice channels to be attacked next as hackers find online channels becoming too secure.