The Wall St. Journal has an article today about one step Bank of America is taking to thwart phishing attacks:
First, the bank allows customers to “register” frequently-used machines, such as a home or office PC, with its online system. When customers use one of those computers to access the site, they are shown a picture after entering a username. If the picture matches the image the user chose when setting up the account, the customer knows they are in the right place, and then enters a password to access accounts.
When customers try to access accounts from a computer that Bank of America doesn’t recognize, the image doesn’t appear. Instead, users must answer a challenge question, like “What was your high school mascot?” The bank tracks computer IP addresses and also uses cookies to identify PCs.
The on-line article has a nice graphic that shows the UI part of the process. It looks like if you save the cookie in your computer, you’ll go straight to the photo or challenge question, after which you can enter your passcode. Otherwise, you’ll have an additional step of entering your user ID.