Security Images On Bank Log-In Pages Are 'Worse Than Useless'

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Although we are only at the half way point, I think it is probably safe to say this is quote of the day.

“I would call [security images] worse than useless,” says Avivah Litan, vice president of information security and privacy at the Stamford, Conn.-based research company Gartner Inc. “That bad guy is just sitting on your machine waiting for you to log in and look at the image, and then they’re in.”
 
Well a vault is useless if a thief is standing over your shoulder while you enter the combination. If someone already has that level of access to your computer, then nothing these sites do is going to protect you.
 
About a decade ago, banks began introducing security images — photos of beaches, teapots, coffee and foods, among other options users can select from — as a way to show customers that the web page they were logging into was legitimate and not a phony website designed by a fraudster
Click to expand...

What?! I thought the image was so that the website knew you were a real person and not a bot, like that of captcha. Am I misunderstanding something here about the use of images?
 
the-one1 said:
What?! I thought the image was so that the website knew you were a real person and not a bot, like that of captcha. Am I misunderstanding something here about the use of images?
Click to expand...

No no. It's an image you choose so that you log in and it shows the image, this is so you know it isn't an imposter website trying to phish your login information. You type in your user name and it shows the image then you decide to put in the password. Yes it is easy to get if I know your username but as said once you social engineer enough info there really is no security that will stop it.
 
Darunion said:
No no. It's an image you choose so that you log in and it shows the image, this is so you know it isn't an imposter website trying to phish your login information. You type in your user name and it shows the image then you decide to put in the password. Yes it is easy to get if I know your username but as said once you social engineer enough info there really is no security that will stop it.
Click to expand...

Gotcha. Kinda like the login picture on Windows :D
 
Why is it that I get an impression that the financial institutions favor convenience over good solid security measures? Lets see here
  • Only recently deployed chipped cards in the US (Europe had it for over ten years)
  • Only chip-and-sign instead of Chip-and-PIN (Europe uses Chip-And-PIN)
  • Short, non-complex passwords (I've seen Web forums with long passwords and more complex passwords available)
  • MAYBE verification using SMS message (Gaming services such as battle.net and Steam uses two-factor authentication)
 
ZLoth said:
Why is it that I get an impression that the financial institutions favor convenience over good solid security measures? Lets see here
  • Only recently deployed chipped cards in the US (Europe had it for over ten years)
  • Only chip-and-sign instead of Chip-and-PIN (Europe uses Chip-And-PIN)
  • Short, non-complex passwords (I've seen Web forums with long passwords and more complex passwords available)
  • MAYBE verification using SMS message (Gaming services such as battle.net and Steam uses two-factor authentication)
Click to expand...

I'm going to be honest, I already hate the chip cards. They don't offer any meaningful security to me and they take 10x longer to work. I want to swipe and go, not stand there while the card fucking thinks about it. It literally takes no time at all to cancel a stolen card or dispute fraudulent charges. The ones in Europe might be better, but the ones we got suck dick. I want my mag cards back.
 
ZLoth said:
Why is it that I get an impression that the financial institutions favor convenience over good solid security measures? Lets see here
  • Only recently deployed chipped cards in the US (Europe had it for over ten years)
  • Only chip-and-sign instead of Chip-and-PIN (Europe uses Chip-And-PIN)
  • Short, non-complex passwords (I've seen Web forums with long passwords and more complex passwords available)
  • MAYBE verification using SMS message (Gaming services such as battle.net and Steam uses two-factor authentication)
Click to expand...

Because the average customer wants convenience over security. Sure everyone whines about lack of security, but the second you require dual auth, two factor authentication, mandatory size X passwords and the consumer nuts up and bitches that it is a bad customer experience.

Chip and pin has been compromised since 2011. It is just more if a pain in the ass to compromise the card. I have been to several merchants that are using chip and pin in the US the last few months, and every damn time someone in front or behind me in line bitches because it takes to long or they did know their pin.
 
You must log in or register to reply here.
Back
Top