I should begin by saying that as i'm writing this, my cell phone is sitting on my desk in the middle of what has thus far been a 20 minute restore process (hey Apple, how about a progress bar?), and I need to login to online banking to get my year end tax statements so I can send my tax info off to my CPA.  Normally logging into online banking requires me to receive the 6-digit SafePass from BofA on my phone, but since that's not an option and I obviously can't call them, that's my justification for trying to bypass SafePass.

It's actually quite trivial, and anyone with anything beyond a beginner's understanding of HTTP has probably already thought about it, if they haven't already tried it.  The idea came to me a while ago, specifically the first time I logged in to online banking from my phone after enabling SafePass.  I noticed that I didn't have to enter a SafePass code when logging in from my phone.

I figured BofA was probably looking at the HTTP user-agent to figure out if they should show you the normal version of the site, or the mobile version (there are actually several mobile versions, depending on what type of device you tell them you're using).  Firefox has a handy user-agent switcher add-on that allows you to specify any user-agent you can dream up, and even has an iPhone user-agent included by default.  So I tried using that and got the iPhone version of online banking, but it looks like that version has some code that only mobile Safari understands because I couldn't get past entering my security question.  Next I tried a blackberry user-agent because I knew their browsers use only standard HTML.  No go - I got a message saying that my browser security wouldn't allow me to use online banking.  As a blackberry user, I knew that meant they wanted me to use the MediaNet browser (AT&T speak, other carriers will differ) instead of the blackberry browser.  Since I couldn't find a user-agent for the MediaNet browser, my next choice was using the user-agent from an HTC phone (I just picked one at random from the list) and success!  I got the standard HTML version of the mobile banking site and was able to login with only my secret question and passcode.

This doesn't really give hackers a very large attack surface since they still have to know your passcode and the answer to at least one of your security questions, but it's an order of magnitude easier for them to get that info that it is to get that info PLUS physical access to your SafePass device.  In reality, BofA should require the SafePass code to login under all circumstances.  The workaround to render SafePass useless is just way to obvious and easy to implement.

I'm not posting this with the intent of enabling someone to obtain illegitimate access to someone else's account, but rather to illustrate that SafePass is only providing the illusion of security and to point out that you should not rely heavily on it, since it's so easy to circumvent.