4

When you sign into Bank of America for the first time on a computer that you haven't used with them before, they detect this and force you to answer one of your security questions. I think I've seen BoA do this when I sign in under a different browser on the same computer. If I clear the browser cache, though, they don't ask me again.

How does Bank of America (likely) uniquely identify the computer I'm using to sign in?

I'm asking because I think it might be a good idea to implement a similar security measure on my websites.

John
  • 2,242
  • 2
  • 28
  • 45
  • It's possible that the site makes a hash of your computer's IP address, and it is checked against a stored list of hashes associated with your account/profile (which are kept on BoA's auth. servers). Especially if clearing your cookies didn't reset things. – acolyte May 06 '13 at 18:03

2 Answers2

11

I'm willing to bet that they don't actually identify the computer, they just send you a persistent cookie once you've successfully logged in, and as long as your browser returns that cookie, they know it's a previously used machine.

You should be able to test this quite easily using something like Firefox's Web Developer toolbar which will let you both examine all of the cookies that you're sending to a specific domain, and will let you delete the cookies for a specific domain. If you delete the cookies for the Bank of America website and then try to login again, you should get the "You're using a new computer" workflow again if indeed they are using a cookie to determine which workflow should be presented to you.

Besides cookies, there are a number of methods they could be using to recognize your machine.

Additionally, the storage mechanisms can be combined (as it appears Bank of America does, or at least did at one point.) The ultimate example of this, so far, is a project known as evercookie which aims to make persistent browser tracking as difficult to defeat as possible.

Community
  • 1
Xander
  • 35,525
  • 27
  • 113
  • 141
  • I've clear my cookies and it doesn't re-prompt me. Cookies was my first thought too, but that rules it out. – John May 06 '13 at 16:54
  • @John A bit more research suggests that you might need to clear both your cookies and locally shared objects. http://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html From this answer on SO: http://stackoverflow.com/a/33319/321790 – Xander May 06 '13 at 17:01
  • Thanks, Xander. The linked question with the LSO piece helped to clarify things. – John May 06 '13 at 18:29
5

Banks like BoA use a risk-based decision engine that examines several variables, including but not limited to:

  • Your visible IP address
  • Your brower's "signature," which incudes the user agent header and detectable display properties such as screen resolution
  • The presence of a persistent cookie
  • The presence of data in another persistent store, such as a Flash wallet token

The risk engine uses the above data and compares to various risk rules that are configured by the bank. Rules include IP geolocation and blacklisting, known browser security issues, and risk exposure particular to your profile (e.g. if you are a high wealth customer). The risk engine calculates a score and decides whether the prompt you for a second factor of authentication, which can sometimes be a one-time password or a KBA (knowledge based authentication) question (e.g. the name of your first pet).

Some banks will do this check only when you sign on. Other banks perform a contetxt-sensitive risk check with each and every transaction, e.g. if you are wiring a million dollars to an external account you are higher risk than transferring $10 to your loan account.

John Wu
  • 9,101
  • 1
  • 28
  • 39