CHARLOTTE, N.C. -- Stung by recent high-profile security breaches, Bank of America Corp. is rolling out a new online banking security system aimed at making it harder for cyberthieves to crack customer accounts.
"We definitely want to lead the industry by making online banking more secure," Bank of America e-commerce executive Sanjay Gupta said. "Right now, more than 50 percent of (banking) transactions take place online."
The Charlotte-based bank already leads the U.S. market with 13.2 million online banking customers and 6.4 million people who pay bills online.
Bank of America launched its new online security system, called SiteKey, last month in Tennessee. It is being rolled out this week in Virginia, Maryland and Washington, D.C., and should be available nationwide by the fall. Several recent highly publicized security breaches have made fraud prevention a top priority for Bank of America and other U.S. banks.
In May, Bank of America and Wachovia Corp. were forced to alert more than 100,000 customers when New Jersey police charged nine people, including seven bank workers, in a plot to steal financial records of thousands of bank customers.
In February, Bank of America disclosed that it lost computer data tapes containing personal information on 1.2 million federal employees, including some members of the U.S. Senate. The lost data included social security numbers and account information.
Bank of America's new system was created by PassMark Security, a Redwood City, Calif.-based company that manufactures authentication systems aimed at blocking identity theft and other fraud. Bank of America is offering it to online customers at no fee.
Instead of the traditional user name-password setup, SiteKey users select one of a thousand different images, write a brief phrase and pick three challenge questions.
The challenge questions - all things that only the customer would be able to provide, such as the year and model of their first car - are then used along with a customer ID and a passcode to guard access to the account.
The system also allows customers to verify that they are indeed at Bank of America's Web site when they log on for online banking. By clicking on a SiteKey button, they can see the secret image they selected and their phrase; if those things don't appear, they could be at a spoof Web site or the target of a "phishing" scheme, Gupta said.
"Phishing" schemes involve authentic-looking e-mails that claim to come from a bank, credit card company or another legitimate financial institution and seek account information from would-be victims.
Bank of America compares SiteKey to getting a safe deposit box with two keys. Before the customer and the bank agree to open the box together, they must confirm each other's identity.
"The challenge was to make sure we can give our customers strong service while making it fairly convenient to use," Gupta said.
But Jim Stickley of TraceSecurity Inc., a Baton Rouge, La.-based computer security company, predicted criminals simply will resort to other methods to entice unsuspecting customers to turn over proprietary information.
He called the technology "interesting ... but I don't know if it's going to work."
"I think the reason they are doing it is because of all the bad press they've been getting. This shows their customers they really do care," he said.
Unfortunately, Stickley added, "The people who tend to fall for phishing scams are not the ones who will know how to use this system."
Bank of America is not alone in its efforts to thwart cyber-criminals.
Wachovia Corp. spokesman Doug Caldwell said the Charlotte-based bank is researching online authentication programs and plans to unveil its own system later this year. Among the options being explored is the use of tokens - battery powered devices that typically display a different, randomly generated number every 60 seconds.
To conduct online transactions, a customer would be required to enter the number currently shown on their token's display, as well as a user name and password.