1

My Bank's Online Banking feature doesn't use usernames. Instead, they assigned me a digit-only account number*. To log in, I enter my number, then it brings me to a new page to prompt for my password. However on the password page there is an image that I selected from a list of hundreds of images, as well as a caption, presumably in the event that you fat-finger your number. (for example: [picture of a rock] 'A cool lookin rock')

Is there any value gained in using this method of security? Is there a particular feature of this method that could be changed/dropped to enhance security? Should I be writing my bank an email?

Some Caveats:

  • I've tested with a few random numbers (and characters), they result in a password prompting page with one of the images and a generic caption
  • The picture captions share a similar format: they're always in lowercase and describe the image
  • There doesn't appear to be any form of Captcha on either the login or password page.

*Note: Not the same as my bank account number (I would have ran).

schil227
  • 113
  • 5
  • 1
    This question has been asked before. https://security.stackexchange.com/questions/19155/effectiveness-of-security-images – mootmoot Apr 10 '17 at 16:02
  • I don't see this post as primarily about images.. it is about being issued a user ID instead of picking one. – John Wu Apr 10 '17 at 20:30
  • UserID is related to the user credential (who the user is). Security Images are related to authenticating the server to the user (yes this is my bank and not a fake bank). These are not the same, not a duplicate of that question. – Trey Blalock Apr 11 '17 at 06:52

1 Answers1

0

Is there any value gained in using this method of security?

A bit, but not much (which is why it is not common).

By issuing you a user ID instead of having you pick it, the bank has hardened the Online Banking enrollment flow against hackers interested in farming user IDs. If you were able to pick it, you could try out various user IDs to see if they are already taken.

Now if they issued you your password, that would be a different matter (it would be really bad).

Is there a particular feature of this method that could be changed/dropped to enhance security?

Eh, not really. I suppose they could make the identifier alphanumeric to increase entropy, but perhaps they don't want to risk introducing offensive words randomly. And you can get the same entropy increase by adding more digits.

Should I be writing my bank an email?

No. They probably thought about this quite a bit. If a hacker compromised your account, they are liable for the loss, not you, assuming they are a member of FDIC.

I've tested with a few random numbers (and characters), they result in a password prompting page with one of the images and a generic caption

If their system is designed properly, those should be fakes. A user ID should be hard to guess. If they are sequential, there is definitely an issue.

The picture captions share a similar format: they're always in lowercase and describe the image

The captions are just there for 508/ADA/WCAG compliance. Blind users can't see the images but they can have a screenreader read them the captions.

There doesn't appear to be any form of Captcha on either the login or password page.

Most users hate CAPTCHA, and it's not really necessary if they implement a proper lockout mechanism with a timed automatic lockout release.

John Wu
  • 9,101
  • 1
  • 28
  • 39