August 13, 2007

Why Your Bank Shows You Pretty Pictures

Posted in Uncategorized at 6:13 pm by Ian

If you bank online, you may have noticed a trend in the past year or two of banks asking you to pick an image and type a phrase to go along with it (which I’ll call the passphrase to distinguish it from your password) that will be used to help authenticate your account.

Security studies have shown that users overwhelmingly don’t understand the purpose of this image and phrase, and think that they’re just one more stupid password and security requirement. Even security researchers don’t seem to understand what this is for. I’m going to give Mr. O’Connor the benefit of the doubt, here, and assume that the writer of that article misinterpreted the point of his talk.

The purpose of the image and passphrase is not to prove to the bank that you are who you say you are. That’s what the password is for. But the password is only good for that if the bank is the only one you tell it to. If you tell it to anyone who asks for it, then they can pretend to be you. So the purpose of the image/passphrase is to prove to you that the bank is who it says it is before you give your password.

As the article points out, the bad guys aren’t breaking into bank accounts by guessing passwords. We don’t need another password. We need to keep the ones we’ve got safe. One way to do that is by keeping users from blindly giving their login information to fake websites. Phishing emails with mocked up pages are very common and can catch even experienced users off-guard if they are not incredibly vigilant. But with the addition of images and catch phrases, the phishing sites are no longer as easy to make. They can’t just put up a static site that looks like your bank’s website. They have to put up a site that looks like your bank’s website and show you the picture and phrase that you picked.

Obviously, this won’t protect you from a keylogger running on your system, or a packet sniffer grabbing the traffic between you and your bank. But it significantly raises the bar for a malevolent phisher to slip his website in under your nose without you noticing it. Since you still have to have your password to authenticate yourself, this system is no worse than the one it replaces, and is quite a bit better at keeping your password between you and the bank.

But only if people know how it works.

1 Comment »

  1. AB said,

    And the real reason your bank shows you pretty pictures: government regulators started to require more stringent security measures starting at the end of 2006.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: