one of the most ridiculous pieces of "security" ever. more to come when i get home from work.
ok... getting back to this more than a week later, the sitekey is designed to foil phising attacks. phishing attacks are when i design a web page that looks just like bank of americas, give it a url along the lines of www.bank0famerica.com, and then fake an email to you joe user from bank of america with a link to my version of the page. i want to get you to enter your username and password, so that i can later empty out your account.
Sitekey is supposed to foil this attack. you don't put in your password right away, just your username. then bank of america proves that its ok to enter your password by showing you a picture associated with your account. now that you know who you're dealing with, its ok to enter your password, right?
wrong! this is just creating an extra step for a would-be phisher, who now has to impersonate two sites instead of one. the main method of attack is the same. once you're on the phisher's version of the site, you enter your account name. the phisher takes your account name, goes to the real BoA site, gives them your user name. BoA gives the phisher your sitekey picture. the phisher gives you your sitekey picture. you give the phisher your password.
so there's no real added security here. sure its making things more difficult for the attacker, but the same attack is still possible. and if you've managed to convince your customers that they're safe because of this so-called security feature, they're more likely to trust it, and may even be more susceptible to attack.
but really its just another annoying page to load.
so, stupid sitekey.