On Wednesday, July 29, 2015 at 2:34:30 PM UTC-4, Ed Pawlowski wrote:
On 7/29/2015 12:01 PM, trader_4 wrote:

Perhaps they don't want to publicly give details,but I think they are
just doing new security in a different manner. There are probably
stronger methods employed that obsolete the site key. If the site key
was a great enhancement, they would all be doing it by now.

I don't doubt that they have other techniques. But it's clear
to me that presenting you with an image that only you and BA
know before you enter your PWD would prevent hackers from creating
a phony logon page. It workded with Micky. He noticed that he
wasn't getting the image and wondered if it was really the bank.
You can have X, Y, and Z that all provide some added level of
security. All I'm saying is that if you still had Z, the image
challenge, then security would be better even if you have X, and
Y and think they are very effective. It only adds, it doesn't
subtract.


What is to stop a hacker from presenting the site key?

That they don't know what the site key pic is that you have
personally chosen from a long list of available ones and
that they don't know the tag line you've personally added
to the pic. They aren't going to get that easily. They can
get your user name and pwd by creating a fake logon page
that looks like BA.


I always thought
it would be the perfect method of stealing your info.

I don't see how it's the perfect method, when the hacker doesn't
know the image or tag line for the image that you created.


There are shady
people out there with all sorts of tricks and one photo is not going to
keep them from taking your fortune.

That added step alone isn't going to prevent all the possible ways, no.
But without it, I could create a hack webpage that looks like the BA
sign on page. So, without it, you put in your logon name and pwd.
Now the hack site has both. With the image challenge, you put in
your name and if you don't see the correct image and tag line, you
know something is up. That's what caused Micky to become concerned,
he didn't see the challenge image and his tag line. I think it's
a good idea, because with other sites, many times the webpage has
changed or the web address that shows up in the address bar seems
different, leading me to wonder, is this really Amex, etc? or a
hack attempt. With BA, once I see my image, I'm confident it's
really BA.




I really don't think they would lessen security one tiny bit. Just look
at the Caller ID scams where your own number shows up.

The analogy here would be you call someone and before starting
your private conversation, the person you called has to tell you
the pass phrase that only you and they know to prove that you've
really called them and not someone else.