So BankOfAmerica got on the bandwagon of using cellphones to authenticate via text message a few years ago (did I mention that I came up with the idea for this long before it was commercially available, but I was beat to the patent? true story there – even had a meeting with an investor to discuss the idea at the time). You go to some silly webpage, click on a button, and they text a code to a cellular phone that must be entered in the vain of “something you have, something you know” (your phone, login), etc. Sadly, the BoA implementation is full of all kinds of wonderful FAIL. Let me explain. Because venting helps.
To save money (or whatever), BoA grab your carrier information and replace the phone number with a text gateway email gateway of the carrier in question – sign up using an AT&T phone and they will sent to txt.att.net (which is broken anyway as it only uses 10 digits, not the full globally unique number, with country code), and keep sending to AT&T no matter how long you have that number, or whether you move carrier. So, you might think that moving to T-Mobile will get you away from AT&T, but not as far as BoA’s systems are concerned. Now, some folks at BoA did ponder this problem (however briefly), and setup some automated process based around you texting “HELP” to 73981, which allegedly also causes it to wake up and smell the coffee (technical term). The problem is, as many attest online, this is error prone and often does nothing.
So I call BoA online “technical support”, and say nice things to the first person I speak to just to get rid of them, in order to speak to whatever “manager”, “supervisor” or other entity can actually help with the problem. I know what the problem is. And of course, I’m told “can you send a text to…” – at which point I explain that I know the number, the trick, and have done this 4 times over the past 3 days before even bothering to call, that I have no confidence in that working, and that I want a technical support ticket opened with higher ups. Eventually I get this. Guess what the ticket wants? Yup. The “SIM” email gateway for my new number. In other words, they want me to tell them how to send a text to my phone via my new carrier email gateway and:
- Can’t figure this out for themselves (the reset exposed publicly doesn’t work)
- Won’t provide a convenient means to do this online (enter gateway or whatever)
They also asked me several times for the make and model of my phone. As if that’s going to make a difference. Apparently, it can do for the iPhone (no idea why), but I have a sane phone, a Google Nexus S. And I can guarantee it’s nothing to do with the phone. I could have my T-Mobile SIM in the cheapest, nastiest, crappiest phone around, and it would be exactly the same problem.
Overall, I’m not very confident in the Safepass system. But, hopefully, at some point today, I can finally make a transfer between one account and another without having to engage in more folly.