Bank of America and Passmark SiteKey: Trouble in Paradise?

Share Article

With significant increases in customer support calls reported, widespread customer resistance, and hints of ongoing implementation and maintenance problems, it appears that Passmark SiteKey may be creating more headaches for Bank of America than it has solved.

On May 15, 2006, Ziff Davis Publishing's Baseline Magazine published an eye-opening commentary on some of the problems Bank of America has been experiencing with Passmark SiteKey (See:,1217,a=178262,00.asp)

With significant increases in customer support calls reported, widespread customer resistance, and hints of ongoing implementation and maintenance problems, it appears that Passmark SiteKey may be creating more headaches for Bank of America than it has solved.

Significant increase in support calls reported:

In the Baseline Magazine report, Katherine Claypool, Bank of America's senior vice president of e-commerce and customer support solutions, states that once the bank made SiteKey mandatory for its customers, support calls to the bank increased 25%. While declining to specify the cost of SiteKey or provide the actual number of complaints the bank had received, the magazine did report the bank attributes the jump in customer service calls to "irrational customer behavior" such as answering SiteKey’s secret questions with nonsense and other customer behavior that the bank didn't anticipate.

Other examples of what the bank deems “irrational customer behavior” include the bank's customers rushing through the registration process by typing random answers to the secret questions and then calling customer support because they couldn't remember what they had typed. Other customers shared their SiteKey images with family and friends without also sharing their answers to the secret questions. The bank states it is taking additional steps to curb such behavior and “impress upon customers that they have to take SiteKey seriously”. To accomplish this, they report they are “tinkering with SiteKey”, creating smarter secret questions, automatically resetting customer passwords, and improving the wording on their websites.

Attempted phishing attacks have not decreased:

Bank of America’s customers might find it easier to take SiteKey seriously if it weren’t for the fact that they continue to be victimized by phishing attacks. Although SiteKey has been in operation for over a year, Baseline magazine asserts "attempted phishing attacks have not decreased" against the bank. One fraud tracking organization the magazine contacted reported no less than 350 attempted phishing attacks launched against the bank since December of 2004.

Recently, the Seattle Post Intelligencer reported on yet another rash of thefts against Bank of America customers (See: Seattle police have been taking "a lot" of calls and reports involving Bank of America customers, said police spokeswoman Debra Brown. She could not provide a specific number of complaints, but added that while officers routinely get calls about financial fraud involving a variety of banks, people had been reporting an unusual number of Bank of America-specific thefts.

Hints of ongoing maintenance and support problems:

In its article, Baseline Magazine reports the bank has acknowleged that phishers have been “evolving their tactics to beat SiteKey” and that this has forced the bank to continually work to "advance the software", a statement that hints suspiciously of ongoing maintenance and support problems. These problems were first hinted at in October of 2005 when PCWorld reported Bank of America's rollout of SiteKey had "hit a snag" and was being delayed yet again (See:,aid,123148,00.asp).

Security holes apparently still remain. Passmark SiteKey CTO Louie Gasparini confirmed one "big hole" in the Baseline article, which is SiteKey's vulnerability to trojans, viruses or worms. Said Gasparini, “If malware is on your machine, it's much more difficult for everybody.”

Widespread customer resistance:

Most significantly, Baseline Magazine’s article hints of widespread customer resistance to SiteKey. The magazine reports the bank acknowledged that fully 96% of its customers resisted signing up for SiteKey until the bank made it mandatory.

SiteKey works by attempting to locate files it has previously saved to the customer’s computer. However, for millions of online customers who routinely block such actions, or for customers who do their banking from multiple computers, SiteKey resorts to soliciting personal information in response to challenge questions. This solicitation of personal information is likely one reason why Bank of America customers have resisted signing up for SiteKey. After all, the purpose behind products such as SiteKey is to protect customer privacy, not require customers to disclose yet more personal information.

On June 17, 2005, the FDIC published a supplement to its earlier regulatory guidance in which it cautioned financial institutions against implementing products that use personal information to authenticate and warned of customer resistance to such approaches. As predicted, Bank of America customers began complaining about SiteKey’s solicitation of their personal information almost immediately after it was introduced. On one online forum (, the bank's customers were particularly vocal:

"So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity? What kind of idiot came up with that idea?"

"The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you"

"I need to provide the website with all my secret details and only after I have authenticated I can find out if their site is legitimate?"

An alternative to SiteKey:

There is one multi-factor authentication solution that does not solicit personal information from customers, that uses government-approved authentication algorithms instead of vulnerable images and shared secrets, and which does not require “tinkering” to keep it one step ahead of phishers.

PhishCops by Sestus Data Corporation uses unbreakable government-approved mathematic algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce. The company reports PhishCops was designed using FDIC and FFIEC regulatory guidelines as its design model and that it represents an entirely new approach to authentication.

PhishCops also appears to be gaining momentum quickly. The company reports that since its formal introduction to the market in March of this year, they have been contacted by over 370 organizations for additional information or to begin implementation. For its breakthrough in multi-factor authentication, the U.S. government named PhishCops a semi-finalist for the 2005 Homeland Security Award and InfoWorld Magazine awarded it its highest honor, the InfoWorld 100 Award.

In a recent survey, PhishCops was rated #1 among two-factor authentication solutions, offering the lowest total cost of ownership with the fastest implementation time and least support requirements. This is good news for business owners. Perhaps more important, PhishCops authenticates without soliciting personal information. This is good news for consumers who value their privacy in an increasingly insecure online world.

Company Website:


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact
Sestus Data Corporation
Email >