Bank of America Seeks Anti-Fraud Anodyne

By Deborah Gage  |  Posted 2006-05-15

Banks have had a harder time protecting customers' money since the bank robbers followed customers online. And it becomes harder still when customers don't cooperate with banks' efforts to secure their accounts.

Consider Bank of America, which claims 19 million customers online, more than any of its competitors. The bank now processes more transactions online than it does through all of its physical banking centers. Still, online popularity has its price.

In February 2005, Bank of America was sued by a customer—Ahlo, a wholesaler of ink and toner cartridges in Miami—that held the bank responsible for an unauthorized transfer of more than $90,000 from Ahlo's account to a bank in Latvia. The company's PC was infected with a Coreflood Trojan, a bit of malware that can be spread by a phishing attack and hands control of its victim PCs to hackers, according to reports in the South Florida Sun-Sentinel and other publications. Ahlo's attorney, Karen Backer of Patino & Associates in Coral Gables, Fla., says the suit has been "amicably resolved" and includes a gag order that prohibits Ahlo from talking about it. Bank of America spokeswoman Shirley Norton says the bank has no comment. The bank also says it does not discuss individual phishing attempts and has posted information on its Web site ( to educate customers about online fraud, according to Betty Riess, another Bank of America spokeswoman.

Since December 2004, there have been more than 350 phishing attempts—fraudulent e-mails that try to trick customers into giving up their account information, sometimes by infecting their computers with malware that logs their keystrokes—against Bank of America, according to FraudWatch International, a vendor of anti-phishing products. This works out to about one attempt every other day. Out of 339 financial institutions tracked by FraudWatch, Bank of America is currently the 10th favorite target of phishers—behind JPMorgan Chase, Washington Mutual and Citibank, among others.

Bank of America's struggle against phishing shows how hard it is for businesses—especially big ones that have grown by acquiring companies with incompatible information-technology systems—to protect unwary and sometimes uncooperative customers from cybercrime.

About 18 months ago, the bank initiated a project to test and install anti-phishing software for all of its customers. That project is still underway. The bank's senior vice president of e-commerce customer support solutions, Katherine Claypool, says Bank of America currently has three separate back-end processing systems—one for California, one for the Pacific Northwest, and one for the rest of the country—and customers in the Northwest will not get the software, SiteKey, until this summer.

Meanwhile, according to Claypool, after the bank made SiteKey mandatory, customers who had trouble using it—for example, by failing to follow directions when they registered—boosted calls to the bank's customer service centers by 25%.

"Be realistic," Claypool advised attendees of BAI SmartTactics, a banking industry conference, in Las Vegas in April. "The average consumer does not have a clue how the Internet works."

Effective, but Not Intrusive

Bank of America has been battling phishers since early 2004, Claypool says. The bank spent several months during that year conducting focus groups and online surveys to figure out what type of protection customers would tolerate, something that was not as intrusive as a hardware token—which can be inserted into a PC to generate one-time passwords—but that would still assure customers they were doing business on the bank's Web site and not one thrown up by fraudsters.

"Our big concern was that people would [lose confidence] and stop using online banking and bill paying," she says.

The bank decided to use software to fight phishing and briefly considered developing its own. Instead, it went with SiteKey, which was developed by startup PassMark Security of Menlo Park, Calif.; the package closely resembles what the bank's customers said they wanted, Claypool says.

SiteKey identifies the bank to customers and customers to the bank before allowing them to log in to their accounts.

Customers who want to bank online now must first choose an image from an archive, name that image, and create answers to various secret questions (such as, what high school did you graduate from?) that the bank can use to verify their identity. The software will not let them enter their password into the bank's Web site until they see and acknowledge their image, a sign they are on the real banking site and not a fake one.

SiteKey went live for employees by April 2005, and the bank began rolling it out to customers state by state starting in June.

But despite the push, it is still not available to all customers. The anti-phishing software is tied to larger projects to modernize and consolidate the bank's back-end systems and add authentication across the front end, according to Louie Gasparini, who designed Wells Fargo's Internet banking system in 1996 and is now the chief technology officer of PassMark. Bank of America spokeswoman Riess, however, says installing SiteKey in the Northwest is unrelated to the bank's other systems work. Regardless of the reason, customers in the Northwest are not the only ones waiting for SiteKey. Also still to be integrated are customers from MBNA, the credit card processor that Bank of America acquired in January in a deal worth $34.2 billion, Claypool says.

Even though SiteKey is not fully installed, it has already cut the number of successful phishing attacks against the bank, according to Claypool, although she won't say by how many. Attempted phishing attacks have not decreased.

The Tower Group, which analyzes the financial services industry, estimates banks have to eat about $120 million a year in phishing costs, which represents 4% of their direct losses to fraud.

SiteKey also works behind the scenes to create a "risk score" for the bank to identify its customers. Among other things, the software tags customers' PCs by planting two separate and unique cookies. One is an ordinary browser-based cookie; the other is a Macromedia Flash shared object that stores identifying details of customers, such as log-ins, in a way that prevents most customers from finding or deleting them, Claypool says.

As customers try to log in to the Web site, Bank of America decides how risky it is to let them in—a process that SiteKey's rules engine constantly refines by analyzing blind data sent by the bank on customers' specific machines and their behavior patterns. Whenever a customer does appear to be risky—perhaps because he is logging in from a different computer or at a different time of day than his usual time—the bank can use the secret questions to challenge his identity and make sure his user name and password are not stolen.

Using SiteKey has not been problem-free for the bank. Claypool attributes the jump in customer service calls to "irrational customer behavior," such as answering the secret questions with nonsense, that the bank didn't anticipate. The bank declines to specify the cost of SiteKey or the actual number of increased complaints.

"[We told customers] here's how [SiteKey] works," Claypool said at the conference. "We couldn't make it any simpler."

'More Cats, Please'

But some customers still treat SiteKey as an annoyance. Fully 96% waited to sign up until the bank made it mandatory, says Claypool. They rush through registration by typing random answers to the secret questions, and then have to call customer support because they can't remember what they typed. Or they share images with family and friends without sharing their answers to the secret questions, which means more calls to customer support. So far, the bank has resisted allowing customers to upload their own images, even though customers have told the bank there are not enough pictures of cats. "More cats, please," one customer wrote. But customers might get confused and call customer support, Claypool says. Or they might try to upload pornography.

For all banks, there's a sense of urgency about online fraud. U.S. banks are facing a Jan. 1 deadline to provide secure online access to their customers' accounts. That's when banks are supposed to comply with guidelines issued last October by the Federal Financial Institutions Examination Council (FFIEC), whose five government agencies, including the Federal Reserve and the FDIC, will require banks to defend the security of their online authentication schemes. No one is sure what the FFIEC auditors will be looking for, but allowing customers to enter their accounts with only a user ID and password, as Bank of America used to do before it installed SiteKey, is expected to cause a bank to fail its audit. Claypool says Bank of America will meet the deadline.

Meanwhile, phishers are evolving their tactics to try to beat SiteKey, she says. So, Bank of America and PassMark keep working to advance the software. One big hole today is that if a customer's PC is already infected with a Trojan, virus or worm, current versions of SiteKey are unlikely to detect it when people log on to their account. "If malware is on your machine, it's much more difficult for everybody," says PassMark's Gasparini.

Claypool adds that if Bank of America keeps tinkering with SiteKey—by creating smarter secret questions, automatic resetting of passwords, and wording to impress upon customers that they have to take SiteKey seriously—about 65% of the calls to customer service could be eliminated.

Someday, however, even two authentication factors—an image plus a password—will no longer be enough to beat the fraudsters. PassMark, which in April was acquired by RSA Security in Bedford, Mass., is preparing technology for that day. The company expects that banks will have to add a third security measure and will use customers' phones to authenticate them by voice. But then PassMark expects voice channels to be attacked next as hackers find online channels becoming too secure.

Bank of America Base Case

Headquarters: 100 N. Tryon St., Charlotte, NC 28255
Phone: (704) 386-5681
Business: Banking and financial services
Global Technology, Service and Fulfillment Executive: Barbara J. Desoer
Financials in 2005: Revenue was $56.1 billion, up 14.5% from $49 billion in 2004. Net income was $16.5 billion, up 18% from $13.9 billion in 2004.
Challenge: To complete installation of software that protects banking customers from cyberthieves while reducing calls about the software to customer service.

Baseline Goals:

• Increase number of active users of online banking services to at least 19.6 million for the full year 2006 from 14.7 million in 2005.
• Boost percentage of online customers using online bill paying to 100% in 2006 from 50% in 2005.
• Keep efficiency ratio—non-interest expenses divided by revenue—at or below 2005's 49.8%.