Monday, April 26, 2010

Bank of America's SafePass Security: strike out

(Posted online by Joel M Snyder. The problem and description are particularly relevant in our security and usability studies of access control systems.)

Bank of America lets their patrons sign up for "SafePass," which is a credit-card-sized one-time password device. You MUST sign up for SafePass for certain transactions (like large transfers) but it is optional for most customers.

I signed up. Much to my woe.

The sign-up fee for the card is $20.

I got my card, and it's physically defective: no number shows up when you push the button.

To get this problem remedied, Bank of America has me in an infinite loop. The phone people cannot send me a new card (why? I don't know). So I am supposed to do this through the web site.

However, once you have signed up for SafePass, you must use your SafePass to make any changes to SafePass (including getting a replacement card, and let's not even start on whether or not it's going to cost me another $20 to get a replacement for the first defective card).

So I was transferred from customer service agent to customer service agent, and each one assured me that they need to get this card activated. Some thought that if they activate it on their end, through the miracle of the ether, this will suddenly cause numbers to show up on my display here. (Attempting to explain that this could not work turned out to be a losing battle). I went through supervisors. I went through supervisors to supervisors.

In the end, the "solution" that they came up with--after 55 minutes on the phone, mind you--is that I should order a new card (not a replacement, which I cannot do, because the current card cannot be activated, but a new card, as if I need two of these things). They agreed to make a $20 credit on my account, and this will then add up to solution required.

And all this because I was trying to do "the right thing..."

jms