To authenticate certain transactions, Bank of America issue its customers a physical device called the SafePass Card. Unfortunately, it suffers from a design flaw that frequently renders it useless. This is a showstopper for any customer unable to use the secondary, US-only, SMS-based authentication mechanism. Bank of America customer support believe the problem—which has existed since 2012—is isolated. The 75+ frustrated commenters at the bottom of this blog article tell a very different story. (And that’s just the people who have Googled the problem, read this article, and taken the time to comment. There are surely many more!)
Note — If you work for Bank of America, and care about your customers, please consider passing this along to someone with the authority to do something about it. (And maybe also consider the deeper problem that there’s currently no mechanism for your customers to escalate a problem beyond first-line telephone support.)
Update: A solution has been found!
Until Bank of America solve the problem, a solution has been found by commenter Graeme Pyle. Scroll to the end of the article for details.
While the broader financial industry have implemented standard two-factor authentication, via apps like Google Authenticator and Authy, Bank of America relies on a proprietary system known as SafePass to authenticate certain transactions. There are two options for accessing SafePass:
- Mobile phone — The bank can send authentication codes to mobile phones via SMS. This option is a non-starter for anyone traveling or residing outside the United States, on a foreign cellular provider. You’d think an obvious solution would be to use an SMS-capable Google Voice telephone number. But unfortunately, for reasons nobody can figure out (try Googling it), the SafePass system can not send SMS messages to Google Voice.
- SafePass card — The second option is a physical SafePass card which the bank can issue for a fee of $20. Pressing a button on the SafePass card generates and displays a one-time SafePass code.
I received my first SafePass card in 2009, and used it until its internal battery died in 2012. Since 2012, I’ve tried four times to replace that card—and all four replacements have arrived defective and unusable. The defect is the presence of bubbles or splotches in the liquid display the obscure the visibility of the codes.
Here’s what my second replacement card looked like (I didn’t think to take a picture of the first):
Here’s how the third card arrived:
The bubbles started small, but eventually grew to the point that the card became unusable, after which I ordered my forth card. And here’s what the forth card looks like:
Having received the fourth such defective card (in 2014!), my suspicion was that the card was incapable of surviving air transport when mailed to me abroad from the United States. But when I called the bank, the support representative said that just yesterday she’d spoken with another customer in the United States who’d received two defective cards in a row.
She promised to escalate the issue as a potential problem in manufacturing, but stated that, unfortunately, the bank would not follow up with me (or the other customer) as this would be considered an internal matter. The only thing I could do, she said, is order a fifth card, and hope for the best—which I’ve done.
If you’re a Bank of America customer affected by this problem, please add a comment at the bottom if you’ve also been affected. I suspect only as a group, we’ll have a chance of getting the bank’s attention.
My hope is that someone at Bank of America in a position of authority might stumble across this and consider any of the following solutions:
- Fix the design flaw in the existing SafePass cards.
- Follow the rest of the financial industry in switching to standard two-factor authentication, based on mobile apps like Google Authenticator and Authy.
- Update your SMS authentication option to work with Google Voice numbers.
- Making SafePass an option, rather than requirement, for the bank’s online banking customers. (I appreciate SafePass, but when I’m abroad and can’t use the SMS method, I’m completely stuck!)
- Finally, implement a mechanism so that your customers who experience serious problems have recourse beyond front-line telephone support.
Until Bank of America solve the problem, a solution has been found by commenter Graeme Pyle.
- Create an account at telephony provider Anveo. (If you’d like to support this blog, you can enter my referral code 5253170 in the signup process.)
- Choose the “Free” subscription plan (screenshot)
- Add $15 from My Account → Add Funds. (Anveo is a pre-paid service.) You may have to wait a few hours for the payment to clear.
- Order a new geographic phone number from Phone Numbers → Order a new number, choosing the United States. Choose the Per Minute plan, which costs you $0.50 per month, plus whatever you spend in usage.
- Setup forwarding of SMSs from your new number, to your local mobile device by going to Phone Numbers → Manage Phone Numbers → Edit → Forward to a phone.
Anveo is a telephony infrastructure provider, and as such providers an enormous number of features, including the ability to associate your new phone number to a “SIP Client” application running on your iPhone or Android device. I initially tried this, but couldn’t get it working given the large number of parameters that must be configured.
Mentioning this in the comments, Graeme pointed out that you can avoid all that complexity by just setting up SMSs on your new US phone number to be forwarded to your local phone number wherever you live. I set things up that way, and gave it a shot with Bank of America, and IT WORKS! Thanks Graeme!