BofA is Evil
Add to my list of evil corporations Bank of America. For the past several years I have used a very good independent bill payment service called Paytrust (which is now owned by Intuit). One of the features of this service is that it balances my checking account by logging into my online checking accounts and scraping all of the transactions. However BofA has decided to put a stop to this. Supposedly this is an attempt at solving the widespread "phishing" problem. But as this post:
News.compoints out, the BofA solution is no solution (quoted below). So are they really just trying to close out third party bill payment services? I have been asking that question as often and as loudly as I can to any BofA person I can get on email and phone and the VERY suspicious answer that they are all trained to give me is, "would you like to try BofA's bill payment service?"
Note to BofA - you are now going to lose my business.Here is that explanation for why SiteKey doesn't help solve the phishing problem:
The problem is that the BofA server doesn't know how to distinguish a valid user's PC. A zombie machine that was hacked to be false store-front could easily appear to BofA to be a valid user PC.
So... what if the false store-front brokers the entire transaction to the BofA server? That would appear to be completely valid transaction to the server and it would deliver a session cookie, along with the image, back to the false store-front.
The false store-front simply relays the image and authentication page back to the victim, who is none the wiser. He still believes he's talking to the real server because he's getting all of the proper SiteKey data.