Banking Blog
Perhaps a Picture is not Worth a Thousand Words
Banks are doing what they can reasonably do to enhance the security of their web sites. Reducing the success of phishers is one goal. Using pictures to help validate the web site is one quick and easy way for the bank and customer to communicate the authenticity of the site.
The customer is given a number of images and asked to select one. Then, they will always see that one on their bank's web site before they login. If a customer follows a bogus link to what they believe is their bank's web site, they won't see the one picture they had selected and won't enter their confidential username or password. The phisher will be defeated.
Recent articles originating from the UK have indicated that banks there have made big steps in educating consumers, but that the consumers simply were not getting the message. Further, there is discussion that the consumers should have greater liability when they fail to protect themselves. While there isn't any movement to increase consumer liability here in the US, the same message may be read as to educating consumers.
A recent joint study between Harvard and the Massachusetts Institute of Technology had 60 internet banking users visit Boston. These were all customers of one bank, using the picture verification for enhanced security. In a controlled environment they were asked to login to their bank's web site and conduct transactions. This was a bogus web site, with no picture to verify. Of the 60 users, 58 proceeded even though there was no picture. Instead they saw a message that the site was undergoing maintenance. The message even had a conspicuous typographical error.
The picture method is an easy way to enhance existing security at a reasonable cost. The use of a key fob with a frequently changing password or card with an access chip are other ways, but many consumers dislike the work involved in keeping an additional device handy and banks see them as cost prohibitive on many low-income yielding accounts.
Consumers need to be educated and they need to understand that this is one type of layered security, but like a chain, it is only as strong as the weakest link. Various layers of security will only work when they are properly employed.
Banks are doing what they can reasonably do to enhance the security of their web sites. Reducing the success of phishers is one goal. Using pictures to help validate the web site is one quick and easy way for the bank and customer to communicate the authenticity of the site.
The customer is given a number of images and asked to select one. Then, they will always see that one on their bank's web site before they login. If a customer follows a bogus link to what they believe is their bank's web site, they won't see the one picture they had selected and won't enter their confidential username or password. The phisher will be defeated.
Recent articles originating from the UK have indicated that banks there have made big steps in educating consumers, but that the consumers simply were not getting the message. Further, there is discussion that the consumers should have greater liability when they fail to protect themselves. While there isn't any movement to increase consumer liability here in the US, the same message may be read as to educating consumers.
A recent joint study between Harvard and the Massachusetts Institute of Technology had 60 internet banking users visit Boston. These were all customers of one bank, using the picture verification for enhanced security. In a controlled environment they were asked to login to their bank's web site and conduct transactions. This was a bogus web site, with no picture to verify. Of the 60 users, 58 proceeded even though there was no picture. Instead they saw a message that the site was undergoing maintenance. The message even had a conspicuous typographical error.
The picture method is an easy way to enhance existing security at a reasonable cost. The use of a key fob with a frequently changing password or card with an access chip are other ways, but many consumers dislike the work involved in keeping an additional device handy and banks see them as cost prohibitive on many low-income yielding accounts.
Consumers need to be educated and they need to understand that this is one type of layered security, but like a chain, it is only as strong as the weakest link. Various layers of security will only work when they are properly employed.
posted by Andy at
9:50 PM
Links to this post:
Create a Link
<< Home