-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> Found at: > <http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss> > > > > To quote from the above: > > The idea is that if customers do not see their [preselected] image, > they could be at a fraudulent Web site, dummied up to look like > their bank’s, and should not enter their passwords. > > The Harvard and M.I.T. researchers tested that hypothesis. In > October, they brought 67 Bank of America customers in the Boston > area into a controlled environment and asked them to conduct > routine online banking activities, like looking up account > balances. But the researchers had secretly withdrawn the images. > > Of 60 participants who got that far into the study and whose > results could be verified, 58 entered passwords anyway. Only two > chose not to log on, citing security concerns. > > This approach requires the customer to verify the image every log > on. Conning them by replacing the image with, "Site undergoing > maintenance"[1] is fairly easy. With my approach, I would > authenticate the bank's key once, when I establish an account or > sign up for online banking. My software would check that > authentication every time I log on after that. (If the bank decides > to change it's key every year, I might need a new piece of paper > every year -- which might get old after a few years.) > > >> and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which say >> simple things like "show the right image" don't work. > > Found at: > <http://web.archive.org/web/20080406062154/http://people.seas.harvard.edu/~rachna/papers/emperor-security-indicators-bank-sitekey-phishing-study.pdf> > > It's also worth pointing out that common browser ad blocking / script blocking / and site redirection add-on's and plugins (NoScript, AdBlockPlus, Ghostery, etc...) can interfere with the identification image display. My bank uses this sort of technology and it took me a while to identify exactly which plug-in was blocking the security image and then time to sort out an exception rule to not block it. The point being - end users *will* install plug-ins and extensions that may interfere with your verification tools. Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSSh7jAAoJEDMbeBxcUNAel+AIAIx5Y1M0zlQtPU14aKaIE0Eo jpQRCRgY4X/g30EnNt5wh+umKPS7ZSwPg62GfLpmntijPsGCThXVxY62OfJpnZU9 uWh+AwNG3RkMn90w2at1YaCbOyXiPEwN/2PuRsJ+RRQRKu4hbJmF1/1X36ykoIAc s6LZ44a1FpIX8uGg5D6yo/emse3ZaKB6XlhoYZfbNlEnUc63/Sj8mC8K7ErhQbRu qM8/LayQHLNDy+xHFfHLS2v8EJUz8DOVXKWBxxNY6Ig2Z4g4oUbbrhP1pAo2S9J9 YIR/DO4I+epiAy6WvLl/H31EHqnne5qN7B+nOz8mXxH/yg3zMliVmNKI6UCypyM= =PXyH -----END PGP SIGNATURE----- _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
