Bank of America SafePass Card Bubbles | Dafacto
Dafacto

The personal website of Matt Henderson.

Bank of America SafePass Card Bubbles

04 September 2014

As a Bank of America customer who spends a lot of time outside the United States, I have struggled to confirm my transactions due to (a) defects in the Bank of America SafePass card, and (b) being unable to receive a Bank of America SMS on a foreign phone number. This article describes a solution for getting a US mobile number that’s compatible with Bank of America systems, and that can forward SMS messages to a foreign number. Although originally written in 2014, the solution still works today, in 2020.

The problem(s)

To authenticate certain transactions, Bank of America issue its customers a physical device called the SafePass Card. Unfortunately, it suffers from a design flaw that frequently renders it useless. This is a showstopper for any customer unable to use the secondary, US-only, SMS-based authentication mechanism. Bank of America customer support believe the problem—which has existed since 2012—is isolated. The 75+ frustrated commenters at the bottom of this blog article tell a very different story. (And that’s just the people who have Googled the problem, read this article, and taken the time to comment. There are surely many more!)

While the broader financial industry has implemented standard two-factor authentication, via apps like Google Authenticator and 1Password, Bank of America relies on a proprietary system known as SafePass to authenticate certain transactions. There are two options for accessing SafePass:

  1. Mobile phone — The bank can send authentication codes to mobile phones via SMS. This option is a non-starter for anyone traveling or residing outside the United States, on a foreign cellular provider. You’d think an obvious solution would be to use an SMS-capable Google Voice telephone number. But unfortunately, for reasons nobody can figure out (try Googling it), the SafePass system can not send SMS messages to Google Voice.
  2. SafePass card — The second option is a physical SafePass card which the bank can issue for a fee of $20. Pressing a button on the SafePass card generates and displays a one-time SafePass code.

I received my first SafePass card in 2009, and used it until its internal battery died in 2012. Since 2012, I’ve tried four times to replace that card—and all four replacements have arrived defective and unusable. The defect is the presence of bubbles or splotches in the liquid display the obscure the visibility of the codes.

Having received the fourth such defective card (in 2014!), my suspicion was that the card was incapable of surviving air transport when mailed to me abroad from the United States. But when I called the bank, the support representative said that just yesterday she’d spoken with another customer in the United States who’d received two defective cards in a row.

She promised to escalate the issue as a potential problem in manufacturing, but stated that, unfortunately, the bank would not follow up with me (or the other customer) as this would be considered an internal matter. The only thing I could do, she said, is order a fifth card, and hope for the best—which I’ve done.

If you’re a Bank of America customer affected by this problem, please add a comment at the bottom if you’ve also been affected. I suspect only as a group, we’ll have a chance of getting the bank’s attention.

My hope is that someone at Bank of America in a position of authority might stumble across this and consider any of the following solutions:

  1. Fix the design flaw in the existing SafePass cards.
  2. Follow the rest of the financial industry in switching to standard two-factor authentication, based on mobile apps like Google Authenticator and 1Password.
  3. Update your SMS authentication option to work with Google Voice numbers.
  4. Making SafePass an option, rather than requirement, for the bank’s online banking customers.
  5. Finally, implement a mechanism so that your customers who experience serious problems have recourse beyond front-line telephone support.

The solution

Three years after writing this article, a solution has been found:

  1. Create an account at telephony provider Anveo. (If you’d like to support this blog, you can enter my referral code 5253170 in the signup process.)
  2. Choose the “Free” subscription plan (screenshot)
  3. Add $15 from My Account → Add Funds. (Anveo is a pre-paid service.) You may have to wait a few hours for the payment to clear.
  4. Order a new Mobile phone number from Phone Numbers → Order a new number, choosing the United States. (Important: Anveo offers two number types, normal and mobile. Only the “mobile” works with Bank of America!)
  5. Setup forwarding of SMSs from your new number, to your local mobile device by going to Phone Numbers → Manage Phone Numbers → Edit → Forward to a phone.

Anveo is a telephony infrastructure provider, and as such providers an enormous number of features, including the ability to associate your new phone number to a “SIP Client” application running on your iPhone or Android device. I initially tried this, but couldn’t get it working given the large number of parameters that must be configured.

Mentioning this in the comments, Graeme pointed out that you can avoid all that complexity by just setting up SMSs on your new US phone number to be forwarded to your local phone number wherever you live. I set things up that way, and gave it a shot with Bank of America, and IT WORKS! Thanks Graeme!

How to forward SMS to email at Anveo

You can use Anveo’s “Forward SMS to URL” feature, to have your SMS messages sent to you by email. This is a little technical, and requires the ability to install a PHP script on a web server somewhere. Here’s how it’s done:

In the Anveo administration interface, go to:

Manage Numbers → Edit → SMS → Forward to URL

This is where you’ll enter the URL to your PHP script. That URL (of the GET, rather than POST structure) will contains tokens for the from and message arguments. Here’s mine (with the domain redacted):

mydomain.com/anveo.php?from=$[from]$&message=$[message]$

And here is the actual PHP script contents, with the to and from email addresses redacted in several places:

// This is Matt's secret script for sending email from a URL

// Initialize our KILL function

function died($error) {
		echo "We are very sorry, but something went wrong.";

		$error_message .= "The following were the errors:\n\n$error\n";
		$headers = 'From: [email protected]'."\r\n".
		'Reply-To: [email protected]'."\r\n" .
		'X-Mailer: PHP/' . phpversion();
		@mail('[email protected]', '[Anveo] Mailer Aborted', $error_message, $headers);  

		die();
}

// Initialize some variables

$email_to = "[email protected]"; // where you want sms forwarded
$email_from = "[email protected]"; // what the from address should be
$subject = "[Anveo] Incoming SMS from Anveo";

$email_exp = '/^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
$email_message = "";    

// Do some data validation...

if(!isset($_GET['from']) || !isset($_GET['message'])) {
		died('Either the from or the message was not present.');       
}

$body = $_GET['message'];	

// Check for good email syntax

if(!preg_match($email_exp,$email_to)) {
	died("The email address does not appear valid: $email_to");
}

// Make sure we have a body

if(strlen($body) < 2) {
	died("The email body does not appear valid:\n\n$body");
}

function clean_string($string) {
	$bad = array("content-type","bcc:","to:","cc:","href");
	return str_replace($bad,"",$string);
}

$email_message .= clean_string($body)."\n";

// create email headers

$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();

// Send that mail!

@mail($email_to, $subject, $email_message, $headers);  

echo "Form submission successful.";

Enjoy this article? — You can find similar content via the category and tag links below.

Questions or comments? — Feel free to email me using the contact form below, or reach out on Twitter.