Security is not about guaranteeing anything, it's about making it more difficult to break in. The lock on your front door does nothing to guarantee a burglar won't enter your home, it just makes it more difficult to do so.<p>The examples he gives either have the potential of alerting the user to the spoof (via the missing image) or require significantly more work to spoof the user (via a complex proxy at the router level or obtaining a homographic URL).<p>Either way, the barrier to stealing users credentials has gone up, which is exactly what security measures are intended to do. Hardly useless, and definitely not "worse than useless".
The article fails to recognize the value of the "security images" to the banks. The banks have used these images to satisfy the requirements of the FFIEC guidance "Authentication in an Internet Banking Environment"[1].<p>Any complaints about the value of the security images should not be addressed to banks. You should direct your complaints to the FFIEC and/or to your banks regulator (OTS, OCC or NCUA).<p>[1] <a href="http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20%28FFIEC%20Formated%29.pdf" rel="nofollow">http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20%28FFIEC...</a>
BMO, Bank of Montreal uses these along with a security phrase. Its absolutely ridiculous that this is mandated by some standard, but there is no guidance on password strength itself. BMO has a strict only 6 characters (no more, no less) policy. Oh yeah, before anyone asks: No numbers, no special characters. Choosable by the customer when opening the account.
Unless, of course, a reasonable implementation were used, tying the image to a cookie and using the browser security to prevent it being sent to different domains; if you're on a subdomain of a bank already, there are far more effective ways to execute an attack.
This could work if security questions (not the best form of security by itself) are asked if the request comes from a "not previously used" computer. So that way, if the phishing site is sending a request on my behalf, they would have to answer my challenge questions (w/o human intervention i.e.) before getting to the image... that kinda makes life harder for an attacker.. of course the logic of identifying the "first time you are using this machine" thing needs to be non-stupid (for lack of a better word)
The image is a way for the user to "manually" authenticate the server. It's a weak authentication because an attacker could easily get a copy of this image once he knows the user identifier and forge a apparently valid page.<p>The most secure authentication is the one using security cards/key with a challenge code sent by the bank and the response returned by the key using bi-key cryptography. The one with usb connections would be most efficient, convenient and secure.<p>Nfc on phones may look more attractive, but phones are insecure.
This is part of a system called Passmark which was acquired by RSA many years ago.<p>As part of the newest releases of RSA's security approach it has been deprecated. In a few years you won't see this anywhere on the web (or, if you do, you'll know that the login and security portion of that site hasn't been looked at in years... also scary).<p>The banking industry is moving toward one-time passwords sent out-of-band and/or Google Authenticator for "something you have."
I kinda like my bank's implementation of it: Social security number equivalent for username, then you get the security phrase on the same page where you type in the password, then you get a two factor auth page (cellphone).<p>So it helps for when you fuck up the username or something else is weird, but security doesn't really rely on it.<p>Though I don't think there are any banks in my country that don't use 2 factor, so its a bit of a moot point anyway.
The blog post is worse than useless.<p>The images give you as a user a sense of situational awareness -- I know based on the picture which of a half dozen accounts I have (personal, Ira, business, etc) I'm logging into.<p>They also make it more difficult to misdirect people to a lookalike site via phishing. Even old people recognize that their login picture, normally prominently displayed, is missing.