Should I be panicking about my Bank of America password?
April 15, 2014 11:27 AM   Subscribe

(Keeping this anonymous because I'm worried my security's compromised and don't want to make it worse.) So for about the past six weeks, the log-in process on the Bank of America site has been behaving strangely for me. When I go to the BOA site I see my online userID in the normal way and click on it. That then takes me to the sitekey confirmation page where --weirdly-- my password is now showing up in plaintext on the login page, above the sitekey image. The first time this happened it was displaying my then-current password, which I immediately logged in with and changed. Since then, every time I go to log in I see the old password in plaintext, above the sitekey. When I enter either my then-current or my actually-current password it's rejected and I need to go through the reset process before I can successfully log in. I'm not freaking out, because there's no strange activity in my accounts. But still, it's unnerving. So..... what might be going on here, and what should I do about it?

(Extra information because this is anonymous so I won't be able to respond to questions. I've written BOA but in my experience their support staff are clueless and will be unable to help me. Nothing big has changed on my end --no new devices, no unusual travel, no other reason to think something's awry-- and I have no particular reason apart from this to believe any of my passwords or accounts anywhere have been compromised. I practice pretty good password hygiene in general: I use randomly-generated strong passwords in KeePass and change them every few months. Other small things about the BOA login process seem to have changed at about the same time as what I described above (like, now I cannot copy-paste from KeePass into the password verification field when setting a new password, which I think I used to be able to do). So I am wondering if maybe BOA made a bunch of changes to their login process, and it's just still very buggy.)
posted by anonymous to Computers & Internet (15 answers total) 1 user marked this as a favorite
I don't know, but Bank of America has a two-step verification login process that you can enable called SafePass, and I recommend you (and everyone else!) set it up.
posted by brainmouse at 11:29 AM on April 15, 2014

When I log into the BoA site, after I put in my username, I see my sitekey image, and above that is the sitekey phrase I typed in (this is just to make double sure you're in the right place). Maybe you accidentally entered your password into the spot you were supposed to enter your sitekey phrase when you were setting up your account? See if there's a spot to pick a new sitekey phrase. (Though if you've already changed your password, you can just consider that your sitekey phrase if you want, unless you're still using that as a password somewhere else.)
posted by rabbitrabbit at 11:30 AM on April 15, 2014 [12 favorites]

Does the plain text password still show up if you use a different browser? Perhaps that form field was saved by your browser.
posted by FreezBoy at 11:35 AM on April 15, 2014 [1 favorite]

I use the same two-step process to log in to my B of A credit card.

The sitekey verification website itself states that you should e-mail if you don't recognize the picture and pass phrase. I'd hazard a guess that that's the same e-mail address you should use if your password is showing up in plain text above the picture as you enter it.

On the other hand, when I go through the login process, I see the same thing that rabbitrabbit sees, which leads me also to believe you might accidentally have entered your old password on a screen where you were actually changing your sitekey pass phrase.
posted by tckma at 11:37 AM on April 15, 2014

Go to your bank and talk to them about it. That's what they're there for.
posted by Chocolate Pickle at 11:44 AM on April 15, 2014 [1 favorite]

Yeah, you should go to your bank and tell them what you just told us. Then keep records of who you spoke to and when, because in case something does happen to your account you will want to have those records. It won't cost you anything to talk to them.

Nobody here can tell you whether your account has been compromised. The bank can advise you what effective steps you can take to protect yourself, whether prophylactically, or in response to an actual breach if one may have occurred.
posted by gauche at 11:48 AM on April 15, 2014

Take a screenshot, then change your password so you can show them the unedited screen. Save the page as HTML/JS also, if you're so inclined.
posted by rhizome at 12:03 PM on April 15, 2014

Maybe you accidentally entered your password into the spot you were supposed to enter your sitekey phrase when you were setting up your account?
This is what I assumed as I was reading. If it happens in all browsers and devices, it is almost certainly your sitekey phrase. If you are using KeePass, it may have done this without your knowledge. However this is the part that sticks out to me:

my actually-current password it's rejected and I need to go through the reset process
You have to have it reset every time? That is a big deal. I would try changing it to something you can remember and not using KeePass at all for a few days on this page.

I think BoA is constantly changing how their log-in page looks in big and small ways.
posted by soelo at 12:18 PM on April 15, 2014 [1 favorite]

my actually-current password it's rejected and I need to go through the reset process

Change your email password.
posted by rhizome at 12:24 PM on April 15, 2014

I agree with my cousin, rabbitrabbit, you've typed your password as your phrase. I think mine was, "This is an artichoke."

Don't fret, I suspect you're fine.
posted by Ruthless Bunny at 1:18 PM on April 15, 2014 [1 favorite]

Are you using a KeePass browser plugin?

I had a similar issue with my LastPass plugin -- with the last major update, it developed a bad habit of filling in the wrong passwords on sites, overriding what I typed (or cut and pasted). They were able to fix this issue, but I can see it coming up for other password-filling-in browser addons.
posted by lesli212 at 1:28 PM on April 15, 2014

It sounds to me that it's a browser problem, not your BoA account. Various browsers, on different OSs, store passwords and other bits of info for auto-filling forms. The login page is just another form to the browser. Find wherever your browser saves this data, and clear it out. This ought to clear up your problem.

One way to test my theory would be to access your account using another browser, or ideally, another (trusted) computer altogether. If the login works properly, then the problem is with your browser, as I described.

I use Safari on a Mac, and the password info can be found in the Preferences window, under the Passwords tab. The Mac OS also uses the Keychain to store user ids and passwords, but I would recommend not using either of these methods to save bank passwords.
posted by qurlyjoe at 2:31 PM on April 15, 2014

I've had a similar issue using the NatWest site in the UK - it will reject correctly entered data (I double-check the data entered and don't let the computer autofill any of it) out of hand, apparently because it thinks I got there via an external link (possibly because the browser autofilled the URL when I started to type it in, and it interprets that as following a link). On consulting with a NatWest support person it was heavily implied that the bar for suspicious behaviour has been lowered almost to ground level. In any case, I usually need to reinitialise my account when I try to log in.
posted by Grangousier at 2:55 PM on April 15, 2014

I'm not sure what going to the bank is supposed to achieve - there's 0.00000% chance that anyone in your local branch has anything to do with the website.

A simple test: CHANGE your password IMMEDIATELY (you should do this if anything is suspicious, anyway). Does the plaintext change with it next time you log in?
posted by IAmBroom at 10:01 AM on April 16, 2014

IAmBroom, they have changed it a few times and the plaintext is still showing the original password.
posted by soelo at 12:10 PM on April 16, 2014

« Older How do they know how long we should cook it?   |   Cityson is graduating, and we'll all be hungry to... Newer »
This thread is closed to new comments.