The personal website of Matt Henderson.
04 September 2014
As a Bank of America customer who spends a lot of time outside the United States, I have struggled to confirm my transactions due to (a) defects in the Bank of America SafePass card, and (b) being unable to receive a Bank of America SMS on a foreign phone number. This article describes a solution for getting a US mobile number that’s compatible with Bank of America systems, and that can forward SMS messages to a foreign number. Although originally written in 2014, the solution still works today, in 2020.
To authenticate certain transactions, Bank of America issue its customers a physical device called the SafePass Card. Unfortunately, it suffers from a design flaw that frequently renders it useless. This is a showstopper for any customer unable to use the secondary, US-only, SMS-based authentication mechanism. Bank of America customer support believe the problem—which has existed since 2012—is isolated. The 75+ frustrated commenters at the bottom of this blog article tell a very different story. (And that’s just the people who have Googled the problem, read this article, and taken the time to comment. There are surely many more!)
While the broader financial industry has implemented standard two-factor authentication, via apps like Google Authenticator and 1Password, Bank of America relies on a proprietary system known as SafePass to authenticate certain transactions. There are two options for accessing SafePass:
I received my first SafePass card in 2009, and used it until its internal battery died in 2012. Since 2012, I’ve tried four times to replace that card—and all four replacements have arrived defective and unusable. The defect is the presence of bubbles or splotches in the liquid display the obscure the visibility of the codes.
Having received the fourth such defective card (in 2014!), my suspicion was that the card was incapable of surviving air transport when mailed to me abroad from the United States. But when I called the bank, the support representative said that just yesterday she’d spoken with another customer in the United States who’d received two defective cards in a row.
She promised to escalate the issue as a potential problem in manufacturing, but stated that, unfortunately, the bank would not follow up with me (or the other customer) as this would be considered an internal matter. The only thing I could do, she said, is order a fifth card, and hope for the best—which I’ve done.
If you’re a Bank of America customer affected by this problem, please add a comment at the bottom if you’ve also been affected. I suspect only as a group, we’ll have a chance of getting the bank’s attention.
My hope is that someone at Bank of America in a position of authority might stumble across this and consider any of the following solutions:
Three years after writing this article, a solution has been found:
Anveo is a telephony infrastructure provider, and as such providers an enormous number of features, including the ability to associate your new phone number to a “SIP Client” application running on your iPhone or Android device. I initially tried this, but couldn’t get it working given the large number of parameters that must be configured.
Mentioning this in the comments, Graeme pointed out that you can avoid all that complexity by just setting up SMSs on your new US phone number to be forwarded to your local phone number wherever you live. I set things up that way, and gave it a shot with Bank of America, and IT WORKS! Thanks Graeme!
You can use Anveo’s “Forward SMS to URL” feature, to have your SMS messages sent to you by email. This is a little technical, and requires the ability to install a PHP script on a web server somewhere. Here’s how it’s done:
In the Anveo administration interface, go to:
Manage Numbers → Edit → SMS → Forward to URL
This is where you’ll enter the URL to your PHP script. That URL (of the GET, rather than POST structure) will contains tokens for the from
and message
arguments. Here’s mine (with the domain redacted):
mydomain.com/anveo.php?from=$[from]$&message=$[message]$
And here is the actual PHP script contents, with the to and from email addresses redacted in several places:
// This is Matt's secret script for sending email from a URL
// Initialize our KILL function
function died($error) {
echo "We are very sorry, but something went wrong.";
$error_message .= "The following were the errors:\n\n$error\n";
$headers = 'From: [email protected]'."\r\n".
'Reply-To: [email protected]'."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail('[email protected]', '[Anveo] Mailer Aborted', $error_message, $headers);
die();
}
// Initialize some variables
$email_to = "[email protected]"; // where you want sms forwarded
$email_from = "[email protected]"; // what the from address should be
$subject = "[Anveo] Incoming SMS from Anveo";
$email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
$email_message = "";
// Do some data validation...
if(!isset($_GET['from']) || !isset($_GET['message'])) {
died('Either the from or the message was not present.');
}
$body = $_GET['message'];
// Check for good email syntax
if(!preg_match($email_exp,$email_to)) {
died("The email address does not appear valid: $email_to");
}
// Make sure we have a body
if(strlen($body) < 2) {
died("The email body does not appear valid:\n\n$body");
}
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href");
return str_replace($bad,"",$string);
}
$email_message .= clean_string($body)."\n";
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
// Send that mail!
@mail($email_to, $subject, $email_message, $headers);
echo "Form submission successful.";
Enjoy this article? — You can find similar content via the category and tag links below.
Questions or comments? — Feel free to email me using the contact form below, or reach out on Twitter.