The login prompt for my student loan repayment site has two parts. You first enter your username, then it shows you an image as well as a password prompt. I picked the image when I first made my account from a few other potential images. However I don't see how this increases the security of the account at all. What's going on here?
-
2[It doesn't really do anything.](https://security.stackexchange.com/questions/19155/effectiveness-of-security-images?s=1|2.3587) – Stephen Touset Jul 19 '17 at 15:43
-
4The rough idea of this is it's an anti phishing technique. It prevents an attacker from grabbing the html from whatever organisation and spinning up a copy cat website into which you may enter credentials or financial data. You will remember what image you selected, if it differs you won't enter sensitive data. The attackers would have to breach the provider / mitm your connection to gain the image - much more effort than copying a website. [This is not to say they are effective] – iainpb Jul 19 '17 at 15:44
2 Answers
I presume this to be form of mutual authentication. You're being displayed an image you had selected earlier. This way you can trust the incoming data from being original service provider. I am unsure for the effectiveness of the same especially in an MiTM attack.
- 349
- 1
- 10
It seems like a sort of captcha
meant to prevent banking trojans from logging into your student loan account. These trojans are a sort of malware that are written to capture login credentials of users. In the event that you get infected and your credentials get stolen, the trojan would also have to enter the captcha.
However, in this case, if the "captcha" image is the same every time, then the banking trojan or malware will end up keylogging the captcha word as well ("http:") and there is no real effective protection against the bot logging in since it also knows what the captcha word is.
It seems like someone had the right idea but the implementation is flawed.
Another possibility, as someone pointed out, is that it is meant to protect against phishing pages masquerading as your bank. Even if they can make the page look like your student loan login page, that image is pulled from a database according to what you selected previously. There is no way for an attacker to know that if it's a generic phishing attempt targeted towards many users. You notice the lack of an image, or presence of incorrect image, and refrain from surrendering your credentials at a phishing page.
- 1,366
- 9
- 17