How do "Confidence images" on my bank's login page improve security?

My bank recently change their login process to show a preselected image which they label a "Confidence image" - ostensibly to allow a human website user to authenticate the bank's website as not being a spoof.

The old login process was:

  1. Visit BankName.com (entire site is secured with an EV certificate)
  2. Click Login link, a GET request to their login page
  3. Enter username and password, POST submit form
  4. Receive HTTP 303 redirection to account dashboard page

The new process is:

  1. Visit BankName.com (entire site is secured with an EV certificate)
  2. Click Login link, a GET request to their login page
  3. Enter username and password, POST submit form
  4. Receive HTTP 303 redirection to "Confidence image" page, which shows a picture I previously selected, it also prompts me to re-enter my password for a second time. After POSTing this form it redirects to my account dashboard page.

I don't see how this adds any actual security - any MITM, or any proxy for that matter (assuming the TLS security is compromised somehow) could forward the confidence image and I would recognize it. Similarly a spoof website need only forward my own credentials to the real bank login page, get a copy of the confidence image, and re-serve that - which would fool a less sophisticated user very easily.

Only a very basic spoof website (with a hard-coded confidence image page) would cause users to see the discrepancy, but the biggest problem is that it only shows the image after I have already entered my password - so the feature is useless because the spoof or attack website has already got a copy of my username and password.

I remember at one point Yahoo's OpenID login page did show a confidence-image, while that was after I entered my username,t crucially it was before I entered my password (so the login process was split between two forms) - I believe it was also based on a HTTP-only cookie, so logging in to Yahoo in a clean browser wouldn't trigger the confidence image.

Using human-intelligence to perform mutual-authentication seems like a bad idea - X.509 certificates already perform the role of server authentication, and EV certificates make this easier for less sophisticated users ("look for the green"). I fail to see the motivation... or success behind this move, and am frustrated by having to jump through another hoop to login to my bank.

Replay

You are describing a variation of SiteKey.

Your bank implements it incorrectly because it asks for both username and password before showing the image. If the page were an attacker's he couldn't show you the correct image, but that doesn't matter because he already has your username and password.

If correctly implemented, it is still greatly ineffective.

Category: authentication Time: 2016-07-29 Views: 3

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.211 (s). 12 q(s)