
Worse Than Useless: Personal Security Images - lann
http://www.worsethanuseless.com/post/42126289484/worse-than-useless-personal-security-images
======
tghw
Security is not about guaranteeing anything, it's about making it more
difficult to break in. The lock on your front door does nothing to guarantee a
burglar won't enter your home, it just makes it more difficult to do so.

The examples he gives either have the potential of alerting the user to the
spoof (via the missing image) or require significantly more work to spoof the
user (via a complex proxy at the router level or obtaining a homographic URL).

Either way, the barrier to stealing users credentials has gone up, which is
exactly what security measures are intended to do. Hardly useless, and
definitely not "worse than useless".

~~~
yid
Complex proxy?? You mean a headless browser like phantomjs and a slightly
higher latency apparent to the client. Hardly difficult, which leads to the
false sense of security these images provide. It's made slightly harder on the
order of minutes to write a few extra lines of code.

~~~
pbreit
It would probably need to be more complex than that if the bank is watching
for unexpected activity from individual IP addresses.

------
dfc
The article fails to recognize the value of the "security images" to the
banks. The banks have used these images to satisfy the requirements of the
FFIEC guidance "Authentication in an Internet Banking Environment"[1].

Any complaints about the value of the security images should not be addressed
to banks. You should direct your complaints to the FFIEC and/or to your banks
regulator (OTS, OCC or NCUA).

[1] [http://www.ffiec.gov/pdf/Auth-ITS-
Final%206-22-11%20%28FFIEC...](http://www.ffiec.gov/pdf/Auth-ITS-
Final%206-22-11%20%28FFIEC%20Formated%29.pdf)

~~~
latimer
Interesting, I've always wondered why so many banks use this system online
instead of something more robust like two-step auth.

~~~
mortehu
When I signed up for USAA, by default they had a silly authentication system
based on "security questions". I was very disappointed until I found out that
they support several mechanisms, and allow you to disable the ones you won't
use. Hence, I use the one where I combine my password with a token generated
by a mobile app. Maybe other banks have alternate authentication mechanisms
stashed away as well?

~~~
snowwrestler
They do. Bank of America, which to my knowledge is the largest bank that still
uses the "security image", also allows users to enable 2-factor authentication
via SMS.

~~~
yourapostasy
Not just via SMS, but you can also purchase a token card called a SafePass.

------
schabernakk
BMO, Bank of Montreal uses these along with a security phrase. Its absolutely
ridiculous that this is mandated by some standard, but there is no guidance on
password strength itself. BMO has a strict only 6 characters (no more, no
less) policy. Oh yeah, before anyone asks: No numbers, no special characters.
Choosable by the customer when opening the account.

~~~
cookiecaper
I find password restrictions often prohibit good but unconventional password
models, like the "actual phrase for a passphrase" crowd. I think the
possibility of an online brute force should already be near-zero for banking
apps, and if an offline brute force attack can be conducted, it's likely that
a) your password isn't going to matter much anymore and b) the typically
arbitrary password requirements set up by the site aren't going to do much to
stop any significant GPU-based hash attack.

The issue is that most people rely on memory to store passwords. Any term that
is memorable and meets most online password "standards" is short enough for an
offline brute force to break pretty quickly, especially if the attacker has
some decent resources. The answer to this is "real phrase" passphrases, but
many sites with password rules won't allow these.

~~~
politician
Also, per xkcd, et. al., rate limiting login attempts on a per-user and global
basis significantly increases the difficulty of brute-forcing access even
given password frequency lists.

------
Hello71
Unless, of course, a reasonable implementation were used, tying the image to a
cookie and using the browser security to prevent it being sent to different
domains; if you're on a subdomain of a bank already, there are far more
effective ways to execute an attack.

~~~
boydster2
This is exactly how Yahoo implemented this. The downside is that you have to
select a new "sign in seal" for each browser/computer that you use.

~~~
jtokoph
All an attacker has to do is present the "we don't remember this computer"
screen and ask them to setup a new image once they "log in".

------
san86
This could work if security questions (not the best form of security by
itself) are asked if the request comes from a "not previously used" computer.
So that way, if the phishing site is sending a request on my behalf, they
would have to answer my challenge questions (w/o human intervention i.e.)
before getting to the image... that kinda makes life harder for an attacker..
of course the logic of identifying the "first time you are using this machine"
thing needs to be non-stupid (for lack of a better word)

------
chmike
The image is a way for the user to "manually" authenticate the server. It's a
weak authentication because an attacker could easily get a copy of this image
once he knows the user identifier and forge a apparently valid page.

The most secure authentication is the one using security cards/key with a
challenge code sent by the bank and the response returned by the key using bi-
key cryptography. The one with usb connections would be most efficient,
convenient and secure.

Nfc on phones may look more attractive, but phones are insecure.

------
nathanhammond
This is part of a system called Passmark which was acquired by RSA many years
ago.

As part of the newest releases of RSA's security approach it has been
deprecated. In a few years you won't see this anywhere on the web (or, if you
do, you'll know that the login and security portion of that site hasn't been
looked at in years... also scary).

The banking industry is moving toward one-time passwords sent out-of-band
and/or Google Authenticator for "something you have."

------
Havoc
I kinda like my bank's implementation of it: Social security number equivalent
for username, then you get the security phrase on the same page where you type
in the password, then you get a two factor auth page (cellphone).

So it helps for when you fuck up the username or something else is weird, but
security doesn't really rely on it.

Though I don't think there are any banks in my country that don't use 2
factor, so its a bit of a moot point anyway.

~~~
KMag
Count yourself lucky for living in a country where your national ID number
isn't assumed to be some kind of non-revokable terrible 9-digit pencil-and-
paper OAuth token that's shared with half the world. I'm told that Norway's
tax IDs are considered no less secret than phone numbers.

Coming from the US, I mis-parsed your post as (Social Security number)
(equivalent for username) on first read and thought "That's so backwards!
They're treating SSNs as less important than passwords". It's probably better
to say "national ID number" or "national tax ID" rather than "Social security
number equivalent".

------
Spooky23
The blog post is worse than useless.

The images give you as a user a sense of situational awareness -- I know based
on the picture which of a half dozen accounts I have (personal, Ira, business,
etc) I'm logging into.

They also make it more difficult to misdirect people to a lookalike site via
phishing. Even old people recognize that their login picture, normally
prominently displayed, is missing.

~~~
peeters
> The images give you as a user a sense of situational awareness -- I know
> based on the picture which of a half dozen accounts I have (personal, Ira,
> business, etc) I'm logging into.

Cool you found a use for them, but that's not why they're there. Almost always
when you're being asked to choose one, it's "for your security..."

> They also make it more difficult to misdirect people to a lookalike site via
> phishing. Even old people recognize that their login picture, normally
> prominently displayed, is missing.

First, it's not hard to mirror the interactions of the real site (there's
actually a section in the post about sophisticated attacks which addresses
this).

Second, I doubt very much that old people would notice anything missing,
particularly if you masked it as a site redesign/upgrade. I myself am a fairly
cautious user, but would I notice if the site for the MasterCard I recently
got, which I've logged into maybe 3-4 times and never more than once a month,
asked for my username and password up front rather than in a 2-stage format? I
honestly doubt I would.

~~~
slavak
I think old people and the less tech-savvy users are exactly the people who
would notice something like this.

The less a person understands about computers, the more they rely on habit to
use them. My mother calls me to ask what she should do whenever the tiniest
change or unexpected balloon pop-up appears. The answer is invariable always
the same: "Ignore it". But she calls every time, without fail, regardless.

So you might not notice the security image at all. My mother, who's used to
her bank website always looking a certain way, will become very concerned when
the security image is missing.

~~~
Gigablah
That's exactly how my mother behaves as well. She does online stock trading so
she has good reason to be cautious.

------
mrslx
Passwords ID you to the entity. Images ID the entity to you.

While not a perfect system, it works to some degree IMO. I still prefer two-
fold auth.

~~~
DenisM
The image does not ID the system to you, that's the whole point of the
article! A spoofer site would simply go to the spoofed site, fetch the image,
and give it to you.

~~~
derefr
Theoretically, the image could be stored as a blob in your localStorage,
encrypted with the server's public key. When you go to the bank's site, a bit
of AJAX pops it up to them, they decrypt it server-side, then serve it back to
you as an image (all over SSL, please.) The phisher can try to do all the same
steps, but without the originator's private key, they'll be left with a
useless encrypted blob that can't be turned into a servable image.

~~~
cookiecaper
Will never happen because it would make it way too hard to access your account
on other computers.

~~~
Gigablah
The way this mechanism works, you're supposed to go through the image
personalization step on each computer you access the account with anyway. (And
if you use localStorage, that makes it per-browser).

------
subpixel
Exactly: [http://ryandeussing.com/blog/2011/11/14/corn-on-the-cob-
secu...](http://ryandeussing.com/blog/2011/11/14/corn-on-the-cob-security/)

