1

Ally Bank uses a 'trusted image' system to supposedly make login more secure. I can't find evidence that this is standard practice, so I'll explain it. When creating an account, you choose an image from a list of images. When you log in, you enter your username on the first screen, then on a second screen you're shown your chosen image and you enter your password. The idea is that your chosen image is known only to you and Ally, so some fake pharming website won't be able to show you the image, and you'll be able to flee before entering your password.

This sounds nice, but couldn't a pharming website that mimics Ally's website take in a username, post that to Ally's login page, and show the image that Ally shows?

My best guess is that Ally has a lockout system that prevents you from trying to log in with many different accounts within a short time, which at the very least would complicate such a pharming page. Would that make this effective, or would that also be easily circumventable?

Cannoliopsida
  • 225
  • 1
  • 5
  • 1
    Here is a second duplicate: [Is SiteKey a valid defense against Phishing?](http://security.stackexchange.com/q/26347/12) – Xander Sep 07 '14 at 13:20
  • Great, thank you! I'm happy to confirm that this is a duplicate, if any action is required of me. (I think there's value to this question not being deleted though, as the phrase used by Ally, trusted image, doesn't bring those other questions up) – Cannoliopsida Sep 07 '14 at 13:35
  • Well, just add more phrases like "trusted image" to the other question.... – nealmcb Sep 08 '14 at 03:00

0 Answers0