Will BofA's SiteKey thwart phishing attempts?

If they haven't noticed already, customers of Bank of America's online banking services will start getting prompted to enter what the financial institution is referring to as "sitekey" information.  The last time I wrote about BofA (see BofA TV ad explains why IT matters), it took over a week for me get answers from the company's PR department.  So, take what you're about to read with a grain of salt.  I'm pretty sure it's true but I'm not going to hold the story for a week to verify.

As best as I can tell, BofA's sitekey implementation is designed to thwart phishing attempts.  Phishing, for those of you that don't recognize the term, is what happens when crooks distribute emails en masse that pose as an official email from a financial institution like BoA or, more commonly, PayPal. The emails look very real, often retrieving their graphics from real Web site of the financial institution they pretend to be from. Usually, the email includes a terse warning that you'd better log into your account before it gets cancelled or to rectify a potential security risk to your funds.  They include links to login with your ID and password and if you click on the links, you're taken to a page that looks like the real deal.  If you enter your ID and password, you're doing so on the crooks' systems and they can take those stolen credentials and use them to wipe out your real accounts.  Most of these emails show up in the inboxes of people who don't even do business with the financial insititution in question.   The crooks simply blast these emails to millions of people hoping that some small percentage of the recipients actually do do business with financial institution in question and fall for the ruse.  Thus, the crooks are fishing for information.

Although phishing is part computer hack (in the way the emails look so real and sometimes hide the true identity of the phisher), it is mostly a form of social engineering.  It tricks people into doing something that they've probably been told dozens of times not to do.  As all social engineers do, phishers prey on trust. Phishing has taken its toll on financial institutions.  Not only have millions of dollars been lost (or spent) due to the problem, it undermines the potential for email to serve as a way for financial institutions to stay in touch with their customers.  Today, in the course of being safe than sorry, I routinely delete all email that comes from any financial institution.  As long as I do that, I know I won't be successfully phished.  This causes a serious problem for banks because what if they really had to warn customers about a security breach or a sudden change in policy?  If untrusting customers like me are routinely tuning out all email from all banks, there's a 100 percent chance of me not getting the message (at least via email).   If banks could issue me a personal secure RSS feed, that would probably due the trick.  But, so few people as a percentage of all Internet users use RSS today that its a solution that is ahead of its time for most banks and their customers.

What's the next best thing to a personal RSS feed? How about a personal Web page on the bank's Web site; one that has elements on it that only you know are there so that when you visit your financial institution's Web site, you know you're in the right place.  This is essentially what BoA has done with its sitekeys.  The last time I logged into my BoA account, it forced me to do two things.  First, I had to pick an image from a large library of images.  For example, you can pick the image of a dog or the image of a can of pure maple syrup (see example, above left).  Second, I had to name the image.  Even though it wasn't clear to me why I was going through this, I went along with the Web site's insistance that I do it anyway (after ignoring the request a couple of times, BofA's site forces you to go through the process). Then, the next time I logged in, not only did my login page have a copy of the image I selected, but the name I assigned to it as well. 

Since only BofA and I know what image I selected and how I named it, only BofA could give me a login page with this information on it.  There was no mistake that I was on BofA's Web site.  In other words, when email comes to me that says its from BofA, I can click it's links and visually confirm the email's authenticity.  If it takes me to a login page with the image I selected (and the name I gave to the image), the email is authentic.  If the page is missing that information, then I could very well be on an imposter site that's hoping to trick me into giving it my credentials.

But now comes the big question: could solutions like these put an end to phishing and restore trust in the email system as a way for financial institutions to stay in touch with their customers.  Personally, I like the idea.  It appeals to me as a power user and it's sure to foil some phishing attempts which is ultimately in everybody's best interest (OK, not the phishers').   But I also think it's very hi-tech.  Perhaps so much so to the point that it won't be effective with the same people -- the not-so-tech-saavy -- that are such easy prey for social engineers.  That's because social engineering works independently of technology.  No matter how good a security technology is, most technological countermeausures are no match for a decent social engineer.