Worse Than Useless: Personal Security Images
I recently signed up for a new savings account online and was dismayed to find that the “Personal Security Image” is still alive and well. I first saw this implemented a few years ago on another banking site, and I was as baffled then as I am now. Who is deciding that these are a good idea, and how, exactly, did they convince me to give them my money?
I understand the premise: when Eddy B. signs up for access, he selects an image from a gallery (and often writes an accompanying phrase or caption) which is then displayed to him on all subsequent logins. The idea is that Eddy will become accustomed to these elements and, if tricked into visiting a phishing site, he will notice that the image and phrase aren’t right and won’t enter his password.
At first glance this might seem like a reasonable precaution, so what’s the problem? Let us, for a moment, step into the shoes (baby seal leather, no doubt) of an attacker who is building a site to trick bank customers into entering their login details. We are going to be one of two kinds of bad guy: sophisticated or not.
As unsophisticated attackers, we don’t care about savvy users; we’re going after the absent-minded and the elderly. Our approach is simple: we replace the image with a nice error message (“Sorry, your security image is temporarily unavailable.”) or remove it entirely. The kind of quarry we’re trying to snare isn’t going to notice anyway; the link they’ve just clicked was embedded in a poorly-written email and the URL of the page they’re looking at bears no resemblance to their bank’s. We might even be actively trying to avoid anyone who might catch on.
Moving on to sophisticated attackers: the phishing URL we’ve crafted probably looks very much like the legitimate one or, if we’ve been really clever, is exactly the same. We’ve also written a bit of code that forwards all of our new clients’ requests to the real bank site (via Tor, no less). Our user enters her username - which we send to the bank - and the bank cheerily returns the correct security image to us. One “Incorrect Password” error later our client is redirected to the real login page and we walk away with her password.
The bank’s security image is protecting only a narrow range of users (those just alert enough to notice their image is missing or wrong without noticing the other signs of a shoddy attack) from a narrow range of attackers (those just sophisticated enough to build a phishing site but not enough to proxy requests to the real site). For everyone else it provides a false sense of security or, in the worst case, fools someone into believing the legitimacy of a sophisticated attack site when there are other reasons to be suspicious.
So, who is building these security systems? I hope they are the product of competent security engineers trying to meet some ill-conceived compliance requirements, which would be a reasonable explanation but not a good excuse. Unfortunately, it seems much more likely that they are either the output of barely-competent committees or, worse, intentional security theatre. In either case, they are Worse Than Useless.
Edit: There is some interesting discussion on Hacker News (thank you Google Analytics). User dfc suggests these images are a result of regulation, which was what I was getting at with “compliance requirements” above. I hope that is the case, though it still isn’t good. As dfc puts it: “the authentication systems are not put in place to manage customer risk, they are put into place to manage regulatory risk.”