Bank of America, your security isn't very secure (long, requires logic)!

So, today being bill day and all, I decide to fire up teh old intarweb and take care of the Happy Scrappy Financial Obligations lickety-split.

So I sign on to Bank of America’s website.

To log on, I have to give them my account number, password, and state in which I opened my account. So I do so.

They don’t recognize my computer (I’m at my school’s library), so they ask me a verification question. Which I answer.

Then we come to the dreaded Layer Three of Security!!!twenty-five!! The impergnable, unbustable, uncircumventable Level Three of Security!!!twenty-five!!!

They show me a picture I picked with a title I gave it, and ask me to do some loony word-association bit. By looking at the picture, I am supposed to remember the word I associated with that picture, and therefore Bank of America will know it’s really me and then I can Use my money to pay my debt to… Bank of America.

See, Bank of America KNOWS that someone who knows my account number, PIN, state of account opening, mother’s middle name, town of my birth, and town of my hich school might not actually be me. So in order to prove that I am REALLY me, I ought to submit to this dime-store Rorshach treatment.

One problem. I, like many people who have more than two things to think about, don’t have enough room in my happy scrappy brain to remember what word I associated with a stupid fucking picture forty-five fucking days ago. So I click on the “Forgot Your MMPI Answer?” button. Which pops open a box that says “Call 1-800-HOLD-PLS to obtain your InkBlot pass.”

So I call. Now, I don’t see how a security increase is served by forcing a guy to speak aloud all his account information in a public place, but then, I’m just a law student and such things are beyond me. I resolve to ask the operator just how in the blue hell I’m safer, but I don’t get the chance. Call volume is “exceptionally high.” Wait time of five minutes or so. But, according to the voice, if I want to reset my InaneKey, I can follow the instructions on the website.

So I figure, “That shouldn’t be that hard. I’ll reset it, they’ll bounce the new one to my e-mail, and I’ll just get it from there. This will serve the dual purposes of ease (as I am qualified to operate electronic mail) and security (as Bank of America has kindly provided an extra layer of passwordism and the evil phishers may not know the linked account).” Simple enough. So I click to reset.

Holy crap! Another layer of security!

In order to reset my passkey, I must provide them with… account number… PIN… state of account opening. The same fucking three bits of info I had to give them to login in the very first place. So, feeling no small sense of deja vu, I do so. I hit “enter.” I wait for the window that says, “Your reset passkey will be mailed to your linked account.”


right to my fucking bank screen.

Let me get this straight, you morons. I give you three pieces of information.
That’s not enough for you. You need to verify that it’s me.
You ask me an inane question.
I don’t know the answer.
You say I can get around the inane question… by giving you the exact same three pieces of information you asked for in the first place.


I dunno about you guys, but this seems more than a little… oh, REALLY FUCKING STUPID.

Can anyone explain what I’m missing here?

You’re missing the idea that the little picture with the name you gave it is supposed to help you recognize that you haven’t been shunted to some phisher’s site, but instead are actually logging into the BoA. It’s not an extra level of ID that you have to provide.

The password/PIN that you’re supposed to enter beneath the picture is your usual PIN. When you said you caouldn’t remember it, you were basically saying you couldn’t remember your PIN, so you had to go through the process of resetting it.

I know it’s a little nuisance to have had to type in your PIN twice, but that only happens when you log in from a particular computer for the first time. On subsequent visits, all you would see on the home page is the box for your debit card number; then you’d enter your PIN on the next page, underneath the little picture.

Sorry, but you just hosed yourself.

I wish it were that easy.

But it wasn’t my PIN. I tried that.

The answer they were looking for is an 8-12 character string including letters and numbers.

I get the idea of the passkey. What I don’t get is how easily circumventable it is.

What he/she said.

Because the point is NOT really to add a second password. If you know your password and stuff, you can easily change the passkey (as you did).

The point is that if you click on an email saying “Your Acc0unt has been frozen!!!” and it takes you to a “Bank of America” page, then you don’t see the proper picture when you go to log in. You get suspicious. You (maybe) don’t provide your account information to some stupid phisher.

  • Peter Wiggen

The comment I get on the site key page, underneath the box for your online banking passcode, says “(4 - 20 Characters. This Online Banking passcode is different from your SiteKey image title or Sitekey Challenge answers.)”

My PIN has always worked for me, ever since they introduced the site key thing. I don’t know why it appears differently for you.

Add me to the list of “same here”. Did it this weekend.

The image has nothing at all to do with your sitekey. My Sitekey is the same as my ATM PIN, and it works. If you’re having problems it’s quite likely something is amiss and you’ll need to have it reset.

To reiterate the purpose of the picture, it has nothing at all to do with anything you typed in previously. They tell you what you entered in for the description, even. It’s not to prove who you are, it’s to prove who they are to you.

That’s incorrect, insofar as Bank of America has it set up. (I make no claims about any other bank.) The picture you see is, indeed, your SiteKey; in fact, when you go through the logon process and after you’ve entered your Online ID, you’ll get that picture with “Your SiteKey:” directly above it.

Underneath the picture you’ll see an empty field with this label to the side:

Underneath that empty field are instructions telling you to enter your 4-20 character passcode.

I’m not sure why you’d be using your ATM PIN unless you’ve set that up as your account’s passcode. (Mine is different.)

I hope it is not a normal thing for you to do your electronic banking on public machines…

The risk does not seem worth it to me.


Maybe i’m missing something, and i don’t use this particular service… but how does a system to prove your really on the BoA website help when it only comes up after your’ve entered all your other info? or its it all on one page?

You enter your ID number (and the state your account is set up in, unless the computer has that info in a cookie) on the first page. Then, you go to a new page where you see the SiteKey image you selected (to confirm that you are on the genuine BoA site) and are prompted to enter your passcode.

Yeah, I mistyped that. I meant that your Sitekey is not related to the passcode. Bleh.

Anyways, the passcode for former Fleet people tends to be their ATM pin because of the migration from Homelink; for a lot of people (like myself) the account passcode was defaulted to the ATM pin (Homelink used the ATM pin only for access).

I don’t work there anymore but there are some things about Online Banking with them that might surprise most people.