Fraudsters have been learning new tricks to get around security images, like scraping information from a screen and later replicating the photo on a malicious website, reports MarketWatch, rendering the images ineffective.
To that end, a study from Carnegie Mellon University found that though security images are designed to protect users from phishing attacks — entering their credentials on spoofed sites designed to trick users into thinking they’re legitimate — 75% of the 482 participants entered their passwords on a website lacking a security image.
“I would call [security images] worse than useless,” Avivah Litan, vice president of information security and privacy at the Stamford, Conn.-based research company Gartner Inc. told MarketWatch “That bad guy is just sitting on your machine waiting for you to log in and look at the image, and then they’re in.”
Bank of America got rid of what it calls SiteKeys this summer, noting that they are “no longer as relevant given changes in the landscape,” according to a bank spokesman. BofA switched to a two-factor authentication system that sends customers a one-time passcode by email or text that has to be entered along their username and password.
Barclaycard is doing away with security images as well, pledging that signing in will soon become “quicker and easier without sacrificing account security.” The bank will also use the two-factor authentication method and offer to email, text or call customers with a passcode when they log in from a new device.
There are those holding fast to the security images, however, including U.S. Bank, which says it uses them along with other security features.
“Many of our customers appreciate the added layer of protection that the security images provide,” a spokeswoman said.
Banks find online ‘security images’ offer little protection [MarketWatch]
by Mary Beth Quirk via Consumerist
No comments:
Post a Comment