• PC World
• »Security

Bank of America Corp. customers can now use their mobile phones to make online banking more secure.

This option comes as part of a new service called SafePass, which was unveiled Monday by BofA. Customers will be able to sign up for SafePass to add an extra level of security for some banking transactions.

The SafePass system, which uses authentication technology developed by VeriSign Inc., sends a six-digit code to the customer's mobile phone. The code can be used only once, and it expires 10 minutes after being issued, making it harder for criminals to steal money from BofA accounts.

BofA customers can require this SafePass code for certain types of online banking activity such as transferring large amounts of money or logging on from a new computer.

SafePass works in conjunction with the SiteKey anti-phishing technology that BofA rolled out two years ago, said Mike Pennella, an e-commerce enterprise services executive with BofA. "This is really just another layer in our security strategy," he said.

Unlike SiteKey, however, SafePass is not a mandatory feature, Pennella added.

SafePass will be available to BofA customers in most U.S. states this week, with California users coming online later this month and some northwestern U.S. customers getting service even later than that, Pennella said. Next year, the company will also begin offering a credit-card-sized card, built by Innovative Card Technologies Inc., that can be used to generate similar access codes without requiring a mobile phone.

Bank of America believes that SafePass will help crack down on so-called Trojan software attacks. This type of malicious software is unwittingly downloaded by victims and often includes keylogging software designed to track username and password information and send it back to criminals.

Other financial institutions, including ETrade Financial Corp., Charles Schwab & Co. Inc. and eBay Inc.'s PayPal subsidiary, have deployed similar "two-factor" authentication systems over the past few years.

In fact, Federal guidelines have called for banks to use stronger authentication technologies for online banking since the end of 2006, but they have given the banks some freedom in determining how they achieve this goal.

By requiring a code number in addition to the password, these systems make fraud harder, but not impossible.

In fact, one noted security expert has long predicted that two-factor authentication systems will do very little to cut down on fraud and identity theft over the long term.

That's because there are still other ways to access a customer's online banking session if an attacker has installed Trojan software on his computer, according to Bruce Schneier, chief technology officer with BT Counterpane. "It protects against "steal the password" attacks, but not against Trojans that make transactions in the background after you authenticate," he said via e-mail.

"What I would want to know from the bank is: Who is liable for fraud when it occurs?," he added. "If it's me, I don't want the account or the token. If it's them, I don't care what sort of authentication they use."