0

Over the past year or so, I've noticed that all of the banking organizations I work with that have or had "security images" as part of their login process have removed or are planning to remove that feature. Such organizations include Ally Bank, Bank of America, and Amazon Store Card by Synchrony Bank. I thought the purpose of that feature was to make login more secure, so why are they removing the feature? Is there some newly-discovered theory or some such that has made companies feel that this is a feature that should be removed?

1 Answers1

0

One of your link refers to SiteKey (BOA): actually there is an interesting study on it conducted by Harvard University and which I recommend you to read The Emperor’s New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies.

First, this technique was seen as a defense-in-depth strategy intended to mainly help foil phishing attacks. Nevertheless, studies as the one we mentioned, show this technique is a worthless measure as it is less effective than one might think.

Actually, the above empirical study, for example, proofs that users have been attacked with two types of attacks: phishing attacks and MITM attacks (SSL stripping).

The study above was performed on 3 groups of users:

  • Groupe 1: usres perform banking tasks using their credentials on their own banking web site
  • Groupe 2: users perform banking tasks every Sunday afternoon
  • Groupe 3: similar to Group 2 but users were taught additional instructions to behave securely.

Researchers (who played the role of an attacker), offered login pages with security images where https:// is substituted by http://: all (the three groups) users typed their credentials.

When the attackers removed away the authentication images were removed and replaced them with warning messages such as This service is being upgraded, 99% of the users (including the ones who have taught security behaviors) typed their credentials.

Conclusion: as security images are not fulfilling what they are supposed to prevent, some online applications decided to use something else instead.