Mobile Phones Help Secure Bank of America Transactions

SafePass program designed to fend off Trojan attacks for online banking customers.

Bank of America customers can now use their mobile phones to make online banking more secure.

This option comes as part of a new service called SafePass, which the bank unveiled last month. Customers will be able to sign up for SafePass to add an extra level of security for some banking transactions.

The SafePass system, which uses authentication technology developed by VeriSign Inc., sends a six-digit code to the customer's mobile phone. The code can be used only once, and it expires 10 minutes after being issued, making it harder for criminals to steal money from Bank of America accounts.

Bank customers can require this SafePass code for certain types of online banking activity such as transferring large amounts of money or logging on from a new computer.

SafePass works in conjunction with the SiteKey anti-phishing technology that the bank rolled out two years ago, said Mike Pennella, an e-commerce enterprise services executive with Bank of America. "This is really just another layer in our security strategy," he said.

Unlike SiteKey, however, SafePass is not a mandatory feature, Pennella added.

SafePass will be available to Bank of America customers in most of the U.S., Pennella said. Next year, the company will also begin offering a credit-card-sized card, built by Innovative Card Technologies Inc., that can be used to generate similar access codes without requiring a mobile phone.

Bank of America believes that SafePass will help crack down on so-called Trojan software attacks. This type of malicious software is unwittingly downloaded by victims and often includes keylogging software designed to track username and password information and send it back to criminals.

Other financial institutions, including ETrade Financial Corp., Charles Schwab & Co. Inc. and eBay Inc.'s PayPal subsidiary, have deployed similar "two-factor" authentication systems over the past few years.

In fact, Federal guidelines have called for banks to use stronger authentication technologies for online banking since the end of 2006, but they have given the banks some freedom in determining how they achieve this goal.

By requiring a code number in addition to the password, these systems make fraud harder, but not impossible.

In fact, one noted security expert, Bruce Schneier, has long predicted that two-factor authentication systems will do very little to cut down on fraud and identity theft over the long term.

That's because there are still other ways to access a customer's online banking session if an attacker has installed Trojan software on his computer, said Schneier, who is chief technology officer with BT Counterpane. "It protects against "steal the password" attacks, but not against Trojans that make transactions in the background after you authenticate," he said via e-mail.

"What I would want to know from the bank is: Who is liable for fraud when it occurs?," he added. "If it's me, I don't want the account or the token. If it's them, I don't care what sort of authentication they use."

Related:

Copyright © 2007 IDG Communications, Inc.

7 secrets of successful remote IT teams