Bank and financial web sites using pictures for validation arent secure!
Well thank goodness someone has finally taken the time to prove that SiteKey, PassMark or whatever you want to call the new stupid challenge systems financial intuitions are using are NOT SECURE.
Bottom line, and I am no paranoid wacko, there is no such thing as a 100% secure accessable public login to a bank through a web site. It doesn't exist. My own bank uses PassMark, my 401k uses a similar system and some of my credit cards use the stupid question systems. None of those are anymore secure than a login and password to a determined phisher. A good phisher can set up one of the Man in the Middle attacks like mentioned in the article below and get between you and your bank. You think your logging into your bank and you're not, your logging into the phishers site. The phishers site then logs into your banks site for you, it sees the question you got prompted with and relays it to you. You answer the question and it sends the answer to the bank. The bank sends back the photo, and you go ahead and enter your login and password. Bingo problem solved, the phisher may even dump you into the banks real site at this point since they now have your id and pw and can log in later. This is no different than hundreds of 'online bill pay' systems out there that use your credit card web site login and password. Your bank logs into the credit card site, parses the page for the info they need to know how much you owe, and they transfer that information to the online bill pay site. In the old days we called this type of data gathering from one system to another slurping. Check the article out for yourself!
A Deceit-Augmented Man In The Middle Attack Against Bank of America's SiteKey ® ServiceSee a video of the phishing attack in action (quicktime .mov, 700k): mirror 1, , mirror 2 , mirror 3, mirror 4Executive SummaryWe present this demonstration of a "deceit-augmented man in the middle attack" against the SiteKey ® service used by Bank of America (the underlying technology is also used by other companies). This, or a similar attack, could be used by a phisher to deceive users into entering their login details to a fraudulent website. BoA's own website tells users: "[W]hen you see your SiteKey, you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."We believe that this statement is not completely true, as our deceit-augmented man-in-the-middle attack shows.