Customers use on-card display to generate one-time passwords
Bank of America knows there are plenty of threats to its consumers. Fraudsters are always searching for new ways to phish information and access and empty bank accounts.
The Charlotte, N.C.-based financial institution has been working on ways to protect its customers from these attacks. The first step was taken in 2005 when it deployed SiteKey, but it more recently added two-factor security for some of its customers with a one-time password system call SafePass.
SiteKey, which was mandatory, enabled customers to pick an image, write a brief phrase and select three challenge questions. The customer and the bank can pass that information securely back and forth to confirm each other’s identity. When the customer logged into the site they knew it was legitimate because they saw the phrase and picture. “It’s been very effective for us,” says Todd Inskeep, senior vice president and customer protection executive at the bank. “Customers know when they go to a phishing site and they help us report the sites.”
SafePass ups the ante for Bank of America customers offering two-factor authentication with a one-time password token. “We wanted to share a secret that would be hard for the bad guys to get,” Inskeep says.
Password tokens are traditionally fobs that attach to a key ring. But Bank of America went in a different direction with a credit card-sized form factor, Inskeep says. “We wanted to use something that was familiar to our customer,” he says. “The football shaped token was a little more challenging and didn’t feel as appealing as the credit card.”
While the tokens are in the standard credit-card sized format they are only used to generate the passcodes for the sites, Inskeep says. They don’t have a magnetic stripe nor are they embossed with the individual’s credit card information. Instead the SafePass card has a small button and an on-the-card display.
When conducting certain types of transactions online, the user is prompted to enter a one-time passcode. To obtain the code, the user presses the button on the card to generate the code. Providing this numeric string enables the transaction to proceed with confidence.
Customers can also choose to receive a passcode via a cell phone or other mobile device, Inskeep says. Customers that use the text message service are able to use SafePass for free while individuals that want the token have to pay a $19.99 fee.
Bank of America enables SafePass with a subset of its customers, Inskeep says. Small business customers use it when conducting high-risk transactions; stock traders use it for trading penny stocks; and some consumers will be required to use it when wire transferring large sums of money. Inskeep would not disclose how many customers have signed up for the service, saying only that “adoption has been quite good.”
The SafePass program earned Bank of America the Smart Card Alliance’s Outstanding Smart Card Achievement issuer award for 2010.