The online arms race, that is, not anything to do with some members of the “Axis of Evil” (by the way, what wide-eyed comic book writer came up with that term?).
I am referring to the online arms race known as phishing. If you use an online bank for the love of God never click a link in your email! At least, unless you are 100% sure the email is legit.
Anyhoo onto today’s tale of woe (thank you Kottke). Bank of America uses a technology called “SiteKey” to better ensure that you are who you say you are. It consists of having the user choose an image to represent them as well as a series of small talk questions that now make me scared to discuss my personal life at a party (that line is borrowed from Bryan Roach). The issue at hand with BoA’s implementation is that they let you find out your question and image without providing your password first.
The fix is easy for them to do but will cost them a lot of credit and patience of their customers if they implement it: force everyone to choose new images and passwords. Without doing this they run the risk of having even more phishing sites pretend to be the Bank and siphon off the precious user credentials that are so important to doing business on the web.
Of course, they should get rid of the small talk and images altogether and come up with a more useful solution. An important and easy step for them is to start digitally signing their spam email messages to their customers and ask ISPs to filter out any unsigned messages claiming to be from Bank of America. But of course, that requires far too much cooperation in today’s society (and don’t even think for a second that it would be a free speech issue: fraud is not protected speech).
It amazes me that some credit card companies and banks still send emails with links in the message! This is just reinforcing bad behavior.