I have noticed that a couple of my financial institutions (e.g., Bank of America) now require me to choose an image to use as my “site key” accompanied by a phrase that I provide. After I enter my userid, the site displays that image when it requests my password. I assume that this could help a properly trained user detect a phishing scam. But my thinking is that a phishing site is just going to show you a page that doesn’t have the site key, and any user who would be susceptible to a phishing scam in the first place wouldn’t even notice if the site key image were completely omitted from the page.
Is a site key really a helpful security device? Does the average person get the point?
I doubt the average person gets the point. I don’t think, for example, my dad would notice if he was logging on to his bank account and went straight from the User ID screen to the password screen. Hell, I’m not sure I would notice. Or, I would probably notice, but not think much of it. In fact, the phisher could probably just go back to the old way and put the User ID and Password right on the same screen.
I think the idea is that the Phisher would use the wrong image/phrase and that would give the user pause and maybe get them to start over or call the bank…I don’t think it the system works if someone just circumnavigates it altogether.
On the other hand, I know how my BoA page is supposed to look and that I will see the sitekey on the second page.
I find it a useful and quick check that I am on really their site (since I have to assume a phisher wouldn’t know my chosen key) and look for it–on the second page–whenever I log on.
(So I guess I’m a “properly trained user” and it’s just one more tool for me.)
Yes, it is a helpful security device, provided the user is paying attention.
Does the average person get the point? Maybe, maybe not. Some people can’t be helped no matter how hard you try. They are lazy, naïve, or both; they want the convenience of conducting sensitive business over the internet, but they don’t want to exercise (or don’t see the need for) vigilance against fraud.
I would never notice a missing site key. I will on occasion notice extra things if they aren’t usually there, but I rarely notice missing things in any context.
It works great. Banks were required to institute two factor authentication several years ago. Ok, encouraged. This mets the requirement. Whether it helps security is not very relevant to the isue ghe banks were addressing.
Nothing will protect every user. People have to take some responsibility for their account security. Site keys are useful for people who make a small effort to notice where they are entering passwords. The rest are beyond hope.
It’s not true multifactor authentication anyway. It’s still “something you know”. Since the username and password (the first factor) were also “something you know,” we’re still technically on single-factor.
the image does nothing to prevent man in the middle attacks. If a user is being phished, the malicious website can easily retrieve the correct image from the authentic site and show it to the user.
As stated, the average user probably wouldn’t notice if they were never shown the image or even understands the whole point of it.
All this, in my semi-professional opinion, makes it fairly useless. Sure, it can help more savvy users, but ironically they’re not the ones who need the help the most.
That would require them to know the user name, plus the answer to the secret question that is required if the account has not been accessed from that computer before.
Right, that’s why I specified “if the user is being phished.”
So, the user accidentally goes to some malicious site thinking it’s the real site; malicious site has a page (that looks just like the real thing) that asks for the username; the user enters his username not knowing he’s on a fake site; malicious site now has the username and uses it to POST a legit-looking request to the real site, parses the response (with the real image in it) and there you go. It now has the image and can show it to the user on its own bad site.
Same thing can be done for any secret question/answers.
The only way the secret image/question ever foils phishing attempts is when the malicious site is a dumb non-proxying site (and if the user knows he needs to see the image before entering his password).
You’re talking about the security questions if you log on from an unknown computer? The same way the phisher fetches the image. The fake website just fetches the questions, feeds them to you, gets the answers, gives them to the real website and then gets the image, or, if it’s too complicated it (purposely) crashes your browser forcing you to start over (presumable by typing in the URL and bypassing the phisher) and the phisher just disregards the incomplete data it got from you.
Just pretend that instead of logging on yourself, you went to your computer and there was someone sitting in your chair logged on to the real website telling you what’s on the screen. “Okay Fear, it’s asking for you username…okay, now there’s a picture of a dog and it wants your password…Great, Thanks, see ya later sucker”…adjust that for any intermediate questions that might be there.
Wouldn’t surprise me if I am right out to lunch here, but another possible reason for showing the picture and expecting you to pay attention might be to give the bank more leverage to say “You f–d up. Since we told you about the extra security and you didn’t pay any attention to its absence (or correctness) your loss is your fault. Go away.” In other words, just because you don’t notice such things doesn’t mean that the bank can’t legally expect you to notice such things (same idea as software companies and their mile long terms of use for their programs).
Can’t find a cite, but I read somewhere that the sudden change in log-in techniques (and the proliferation of security questions and the like) was actually due to do new government regulations of some kind.
As such they had a lot to do with blindly meeting the letter of the law, and not very much to do with actually increasing security.
Most phishing sites are the dumb kind. Phishing sites and MITM are generally considered to be two separate classes of attack. Key images are designed to defend against the former only. That doesn’t make them useless, just specific.
I manage a group that implemented two-factor authentication for Department of Education employees this year. Site keys ain’t it. A site key isn’t user authentication at all. It’s *site *authentication. (We implemented TFA by using VeriSign tokens that generate sequences of numbers.)
BTW can a MITM site spoof the user’s computer to the genuine site? I am not a web developer and I don’t know what info a browser gets in the HTTP request that identifies a computer–I know that it can get an IP address, but that wouldn’t work well for dynamic IP assignment. MAC address?.
In the United States, in the case of consumer accounts, the consumer has the no additional liability even if he writes his PIN number on his ATM card. Regulation E provides very strong consumer protections. Such a thing would make absolutely no difference in determining liability for a loss.
On the other hand, business accounts have virtually no protection against liability unless a loss is reported almost immediately. Even if a bank had no security image at all, the business would be liable for losses if it didn’t check its accounts daily and immediately report any discrepancies.
I don’t know if I should post the exact mechanism in public, but it would be be trivially easy for a MITM to spoof the user’s computer. No, it doesn’t use IP or MAC addresses. It’s so trivially simple, I discovered it in just using the web site and doing normal things I do everyday on my computer and noticing that after I did a certain thing, it would ask me the security questions and if I did not do this certain thing, it would not ask me the questions until I did the thing again.