| By Jim Bruene on September 12, 2007 10:30 AM | Comments (6) |
If you were in the office yesterday, you probably heard about Bank of America's announcement of SafePass, an optional out-of-band authorization technique for high-risk online banking transactions. It was all over the news, including the trades, blogs, and a few mainstream press articles. Here's the press release.
The system, common in many countries, but available only at Citibank in the United States (previous coverage here), sends users a 6-digit code via text message. The code is then entered at BofA's website to authorize larger transfers, new bill-pay merchants, new accounts for funds transfer, or to login from a new computer, not previously "registered" for online banking. VeriSign developed the technology.
The service will roll out across the BofA empire this year, with many customers having it as soon as next week. Next year, a wallet-card token "SafePass card" will be offered for customers who don't have text-messaging capabilities on their phones.
Analysis
SafePass is a solid enhancement to security, at least perceived security, since it probably won't do much to cut down on actual fraud losses. It's already pretty difficult to get through BofA's security gates and pull money out of someone's online account. The bank did the right thing in making it optional. Only the paranoiacs, road warriors, or those with unusually high transaction amounts will want to undergo the extra steps.
So while it may be ho-hum in terms of fraud reductions, SafePass is brilliant marketing (note 1). It's a tangible and easily understood copy-point as to why one should choose BofA over the other 15,000 U.S. financial institutions. Think of the bragging rights they now have (all firsts are U.S. only):
- First to integrate mobile messaging into the authentication process
- First to offer optional extra security
- First to safeguard the process of adding a new bill payment payee
- Potentially first to offer choice of token or mobile text message for out-of-channel authorization
- Only bank able to put "SafePass" on their website—a very good name
- Able to say, "no one has more security options than us"
- Able to say they are a "pioneer in security enhancements"
- Able to they "put the customer in charge of their own extra security"
- And so on ...
Congratulations to Bank of America for once again raising the bar in online security.
Rant
While I like what the bank has done, once again I find it astonishing that even 48 hours after releasing the news in a press release here, THERE IS NOTHING ON THE BofA WEBSITE ABOUT IT. A site search for "SafePass" pretending to be from North Carolina, New York, or California results yields just a single obscure business insurance product. Bank of America's search doesn't even return the press release announcing the service!
SafePass is also not mentioned in the bank's security, online banking, or mobile banking sections. I've worked in a Fortune 50 company, so I understand all too well how hard it is to sync advertising, PR, sales, and so on at a huge company. But with 22 million active online banking users, you'd think BofA would be a leader in syncing its website to its marketing plan.
Am I being overly critical? It's certainly worth writing about.
Note:
1. For more information on the synergy between security and marketing efforts, see our full report on the subject at Online Banking Report.
Most Recent Posts:
- Mobile Firsts: State Farm Offers Auto Insurance Discounts to Graduates of its Steer Clear iPhone App - Mar 10, 2010
- Launching: HelloWallet is First New PFM of 2010 - Mar 08, 2010
They did announce it in an online notification to their current users.
I also applaud BofA for their security, and encourage them to keep working at it. The SafePass system is too easy to bypass, though. When someone accessess online banking using a mobile phone instead of a computer the system detects the difference and doesn't use SafePass. Or, use a computer pretending to be a mobile phone.
Jim,
as you correctly indicate, BofA offers this two-factor authentication as an optional security measure.
Per BofA's press release, this is an "optional security feature to consumer and small business customers".
As you may know, the FFIEC requires a risk-based approach to the development of strong authentication, making strong statements about T-FA (specifically to access sensitive / personal information and interbank funds transfers).
AFIK, this "strong recommendation" was about to become regulatory (sometime @ EOY 2006).
I think Business Customers (even small ones) should be required to authenticate via at least T-FA and still multi-factor. Not to the extreme of biometrics, but with tokens or smart cards, depending on the business size. USB Tokens are inexpensive and could be attached to a key ring.
The M-FA also helps minimize potential frauds within the customer companies.
From the perspective of a banking institution, an e-banking fraud could cause a huge scandal, originating substantial losses.
Lets also keep in mind that most of the important US banks have branches overseas, including countries where stronger authentication regulations may apply. With globalization, top banks have global e-banking sites where corporate customers operate all cross the board, having a single user experience.
To finish my boring post, I would like to cite the 'Bank of Cyprus' as an example of a non-US bank that requires T-FA.
For anyone interested, here's a look at SafePass in action:
http://www.bankingunwired.com/2007/12/05/test-driving-bank-of-americas-safepass/
This is a serious misstep by Bank of America.
I am now required to pay $19.99 for the priviledge of depositing more than $1,000 into my BofA account.
Now, just how does that protect me?
Moore
Moore that is totally wrong. SavePass is free to a cellphone user. And I have a PayAsYouGo T-Mobile phone (cheap) that DOES NOT have text messaging yet I receive the SafePass codes just fine for free. Also the entire SafePass service is optional so you do not have to use it. The card is for if you do not have a CellPhone w. texting and choose to use SafePass anyway.