The Bankwatch

Tracking the evolution of financial institutions

MIT/ Harvard study raises questions about use of pictures to visually validate sites to customers

 Rather eye opening study here from MIT. 

The premise is that site-authentication images increase security because customers will not enter their passwords if they do not see the correct image, said Stuart Schechter, a computer scientist at the M.I.T. Lincoln Laboratory.  From the study we learned that the premise is right less than 10 percent of the time.

Source: Study Finds Security Flaws on Web Sites of Major Banks – New York Times

It will be interesting to see the responses of those Banks’ that use PassMark. 

My first question is ‘ who commissioned the study?’.  This may provide some clues as to where this came from, the motivation, and whether objective or not.

I would add in defense of PassMark (owned by RSA) that the picture validation, is a very small component of the overall security architecture, both within PassMark, and alongside the other security measures Banks’ implement.  This survey chooses to deal with on aspect only.

DISCLOSURE:  I have no connection with RSA or PassMark. I have worked with them in a vendor relationship, in the past to implement their solutions. 

 

Technorati tags: , ,

Written by Colin Henderson

Monday, 5 February 2007 at 14:01

Posted in Uncategorized

« Brilliant question – "What happens when the Online Generation replaces the boomer generation in the workplace?"
Off to LIFT 07 »

2 Responses

Subscribe to comments with RSS.

  1. [...] The study takes a closer look at the technique of adding a personalized image to a user’s banking login screen. The idea is that the image will help protect them from password phishing attempts since they will notice when their image is missing or wrong. However, the study put 60 people in a room and asked them to login to their online banking web sites, and 58 of them proceeded to login even though the personalized images were missing. The study leaves questions about the usefulness of such measures, but the real message here should be that users who are aware of the existing security measures are far more likely to benefit from their protection. [...]

    Study Questions Use of Personalized Image as a Login Antifraud Measure : CU*Secure

    Tuesday, 6 February 2007 at 11:22

  2. [...] “The Bankwatch” ask ‘who commissioned the study?’ and what about RSA’s PassMark? [...]

    A Fool’s Wisdom » Banking on Secure Personal Images

    Thursday, 29 March 2007 at 13:26


Comments are closed.