Hacker News new | comments | show | ask | jobs | submit login

Security is not about guaranteeing anything, it's about making it more difficult to break in. The lock on your front door does nothing to guarantee a burglar won't enter your home, it just makes it more difficult to do so.

The examples he gives either have the potential of alerting the user to the spoof (via the missing image) or require significantly more work to spoof the user (via a complex proxy at the router level or obtaining a homographic URL).

Either way, the barrier to stealing users credentials has gone up, which is exactly what security measures are intended to do. Hardly useless, and definitely not "worse than useless".




It's more complicated than that. Like physical security, computer security is applied risk management.

Your house probably doesn't have solid metal doors, metal bars over the windows, laser tripwires, a patrolling security guard, and angry Doberman Pinschers. All of those things would increase your home's security, but the cost of the security probably doesn't make sense compared to the risks involved with your house getting burgled.

Similarly, Hacker News doesn't require client TLS certificates, two-factor authentication, and insanely complex passwords. The risk of horrible and/or costly things happening because someone's HN account got broken into really isn't there, so implementing those security measures doesn't make much sense.

Even if the author's bank's security picture doesn't actually decrease fraud at all, the security picture was probably cheap to implement, required minimal user and employee training, and keeps the lawyers and regulators happy. The bank's risk exposure decreases, even if the author's doesn't.


> ... the security picture was probably cheap to implement ...

Although the implementation might have been cheap, there's another factor to consider:

If a system provides a false sense of security, this almost certainly decreases the actual security of the system.

And putting effort (no matter how cheap) into something that decreases the overall security - that's not a good idea regarding risk management.


Not having the image provides even less certainty of security.

You assume that the image being there will make people less likely to check other aspects of the site, like the URL. But consider the average user. Spoofing and phishing attacks work because people don't check these things.

The security image is difficult to spoof and is more likely to clue average users in to attacks. Therefore, it is useful as a security device and is not worse than not having it.


^this.

Also, security images enable other methods for making attackers' lives difficult. Note that forcing proxies to grab the images allows the bank to focus on the IPs that request the highest number of images, or at least block known Tor exit nodes. Sure this forces people running Tor exit nodes to call in, but the percentage is so small that the bank won't care.


Complex proxy?? You mean a headless browser like phantomjs and a slightly higher latency apparent to the client. Hardly difficult, which leads to the false sense of security these images provide. It's made slightly harder on the order of minutes to write a few extra lines of code.


It would probably need to be more complex than that if the bank is watching for unexpected activity from individual IP addresses.


The code for the proxy itself isn't that complex, no. But it would have to be tailored to the target's banking site. Again, not extremely complex, but more difficult. And actually implementing the attack, including getting a homographic URL or rouge router, is quite a bit more difficult.

Again, the point is that the security image makes the attackers' lives more difficult. The image lends no "false sense of security" because without the image, you'd have the same sense of security.


I'm always surprised when I write a scraper/proxy (usually in perl) at how little added latency is involved. If I host the thing on a fat pipe (say an EC2 instance), it's not even noticeable at home.


To add to that, the security image can potentially raise the barrier a lot more than the author led on. Usually [1], the bank asks you to answer a security question before showing you the personal security image. Most people don't see this because they check the "remember this computer" option the first time they login, so even showing the security question so that one can grab the image will seem suspicious to many users.

[1] I just tested this with Ally (the bank shown in the blog post) and I remember it being true with ING Direct. I haven't tested other banks.


No, it really is worse than useless. It is trivial to fetch the image - anyone with a passing familiarity with jQuery can probably do it.


Maybe I'm missing your point but you can't do cross-domain requests in jQuery (without JSONP) so it would still require a server layer.


Whoops, yes of course. Still pretty easy to setup.


If doing it from the server side, I think you'll find that you have to answer the user's security questions before you'll be able to scrape the security image and phrase.

http://news.ycombinator.com/item?id=5160424


The whole point of this kind of man-in-the-middle phishing is that you present a fake page just like the bank's page. Then when they submit whatever it is they have to submit, you do the same via your server and then present them with the next page and so on until you are logged in.

More steps are more work for the attacker but that's not a big deal. The issue is that the security image isn't just another layer. It's a layer that the bank is making a guarantee about that it can't back up. They don't say, "Pick a security image to make it slightly harder for phishers." They say, "Pick or upload your own image so that you really know you're on our site."


You didn't bother to read my other comment that I linked to:

"Most people don't see this because they check the "remember this computer" option the first time they login, so even showing the security question so that one can grab the image will seem suspicious to many users."


I did read it, but I didn't address it directly enough. Is seems like there a few red herrings popping up in this conversation. Homographic urls, for example. Similarly, if users are used to being logged in, or recognized, due to the presence of a cookie in their browser, then, yes, they are going to see something different. But that can hold true regardless of whether security images are used or not.

What a phisher can do is emulate the 'clean' state. Not logged in, no cookie. Some users will get suspicious and leave the site, sure. It's like a sales funnel, you don't have to convert every visit to make money.

My problem with security images is not that they would never do any good, but that they will do more harm than good. They basically make a promise that they can't keep.

To deal more specifically with your example: I'm not sure what the most prevalent system is but the default one described doesn't involve an extra security question. The image is presented after the user enters their username but before they are asked for their password. If the site follows this flow, then we have a problem. Now in your case the flow is a little different.

It seems to me that showing users a different page based on a cookie is a good idea in that if a user hits the no-cookie version, they might be alerted. But the good part doesn't have anything to do with security images.

As others have posted, the real value of security images is not their security. It's marketing and compliance.


> What a phisher can do is emulate the 'clean' state. Not logged in, no cookie. Some users will get suspicious and leave the site, sure.

Agreed. Where we disagree seems to be regarding what constitutes "some" users. I contend that it's a large enough portion of the total that the security images do more good than harm. I admit that my position is based on intuition. If you have evidence to the contrary, please share it. (That's not meant to be snarky. I really would prefer basing my position on evidence than intuition.)

> I'm not sure what the most prevalent system is but the default one described doesn't involve an extra security question. The image is presented after the user enters their username but before they are asked for their password. If the site follows this flow, then we have a problem. Now in your case the flow is a little different.

I don't know what's most prevalent either. As I mentioned in my other comment, I've sampled too few banks to draw a conclusion, but 100% of the ones I've looked at ask a security question to register your computer before showing the security image. There's a chance I got lucky in the few that I sampled and the rest don't ask a security question, in which case, you'd be right---it'd be trivial to defeat in that case. I just don't see any evidence that that's true.

What do you mean by "the default one described?" Do you mean the one described in the blog post? If so, the screen shot in the blog post is from Ally Bank's website, which is one of the banks that I confirmed does ask a security question before displaying the security image.

> It seems to me that showing users a different page based on a cookie is a good idea in that if a user hits the no-cookie version, they might be alerted. But the good part doesn't have anything to do with security images.

The cookied version of a page must sufficiently unique per user. Otherwise the phisher could emulate the cookied version of the page. You haven't proposed an alternative to the security images, so I'm not sure what you're suggesting here.

> As others have posted, the real value of security images is not their security. It's marketing and compliance.

This is just an appeal to cynicism and doesn't add to the debate.


Good response.

I've been basing my opinion on earlier uses of security images which were as I described, but I should not have called that the 'default' as I have no idea what is the most prevalent type. I know BoA had a system like that years ago.

I will say now that if you are _only_ showing the image to cookied users, then I don't have a problem with it.

I just reread the blog post to see how it is described there and the author doesn't make the distinction. But I can see both the username and the security phrase in the screenshots and you say that they come from Ally Bank (or another bank using the same software, I guess). So my criticism stands for the system _described_ in the blog post but not the one depicted.

As for the charge of cynicism: fair because I didn't go into any details. For the compliance angle, I was relying on this comment further down [1]. As far as marketing goes, it's similar to the little SSL padlock/shield icons on the bottom of a page. It's just theatre. Well, in fact they are supposed to be links to authenticating sites, but in practice it's all about assuaging users' concerns. (OK, that's my inner cynic again).

[1] http://news.ycombinator.com/item?id=5158212


Sounds like we're on the same page then. Glad we got that sorted out.


How is it worse?

And how exactly do you plan on serving the image to the user? Do you have a rouge router? Or a homographic URL?

And consider, if you do have either of those things, then you can do so much more than spoofing an image, like reading all traffic, including SSL.


Hold on a second, we're just talking about security images, not debating the whole phishing paradigm. Which would be futile, by the way, because phishing happens all the time - sometimes with homographic urls, sometimes without. As for rogue routers in the rest, you don't need that kind of thing at all. Most phishing is just getting gullible people to click on links in their inbox.

While it's true that adding security images will make the phisher's job a little harder (and yes, you will need a server but then the phisher is serving this page up somewhere already) it doesn't add that much work. And now you have a situation where you've told your users: "If you don't see the image, it's not secure. If you do see the image, you're in the clear!" You're completely undermining them. Don't you think a user is going to look at things a lot less critically if they see their pet dog or whatever staring back at them?

That's why it's worse. It creates a small amount of extra work for phishers, but once they've done that, they are in a much better position. It's like a bad gambit in chess.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: