Sorry if this has been covered, search feature isn’t working.
My bank’s website has an apparently anti-phishing feature called a sitekey where when I set up the account they give me a picture, and ask me to describe the picture in words.
After that, after entering my account name/number in it’ll display the picture and how I described it and prompt me for a password (along with notices to not enter your password if that’s not the right sitekey, etc).
Presumably the intent behind this is so that you can tell it’s a genuine site and not a phish forgery because they know what image to display to me and the phishing site wouldn’t.
But it strikes me that this would be trivially easy to defeat - the phishing site merely uses the standard login screen where you enter your account name which has no user-specific information like the sitekey image. Then, behind the scenes, the phishing site tries to log into your account on the legitimate site, at which point the legit site displays the sitekey to the phishing site. Then, the phishing site merely has to display that sitekey to the user, and it looks identical to a genuine login screen - bypassing the apparent purpose of the feature.
Have I missed something?