"They're not perfect, they're siloed, but Bank of America takes security really seriously and they're not shy about experimenting with new ways to improve business," says Avivah Litan, vice president and distinguished analyst at Gartner. "They were the first to market with a lot of new security features." It was the first major bank to use images to heighten online banking security, with a feature called SiteKey, a rebranded version of PassMark (now a part of EMC Corp.'s RSA Security), which asks customers to recognize a pre-selected image before they type in their passwords. The bank offers an anti-phishing browser add-on from EarthLink that warns users if they are about to type in sensitive information at a risky website. In 2009, Bank of America began using a system it patented for educating people who get fooled by phishing attacks. B of A works with ISPs to re-direct visitors to an educational site that warns them of the perils of phishing. It worked with the Anti-Phishing Working Group to promote this approach to other banks.
The second-largest U.S. bank has good reason to get out in front of phishing, which is arguably the largest pathway to online banking fraud. (In the typical phishing attack, a cybercriminal sends an email that looks like it's from a consumer's bank and fools the consumer into divulging personal information, say, by asking the person to confirm account information. That information, of course, can then be used to conduct all manner of online banking and mobile banking fraud.) Bank of America has the largest number of online and mobile bankers in the U.S. and is therefore the biggest bank target. "They always jump on board first, I think the other banks will follow," Litan says.
The new coalition announced this week, called Domain-based Message Authentication, Reporting and Conformance (DMARC), aims to create a standard mechanism for verifying that an email has been sent from the entity it purports to be from. The group, whose 15 corporate members also include Google, Yahoo and Microsoft, will build on existing email authentication standards PKIM and SPF to put forward a standard for authenticating email domains. Under the new standard, participating email providers such as Google would check that email addresses are registered with the proper digital signature for the sender's domain (e.g. @paypal.com).
There are a couple of catches. First, standards like these, including PKIM and SPF, have existed for years and past efforts to coalesce them into one have been futile. The DMARC standard could take three to five years to become official and broadly adopted.
Second, even if the standard becomes formally accepted, to be effective, all email providers would have to sign on. "Even if only 50% of them sign on, that cuts it down so that the bad guys can still get to the non-users," Litan says. Every small company that has its own email addresses would have to sign up and make changes to its email systems. "That doesn't mean you shouldn't attack the problem, you want to put as many locks on the door as possible, even if there are ways around them," she says.
