undefined | Better HN

0 pointsbbcbasic9y ago0 comments

My bank asks a security question if logging in from an unknown computer before offering the image or allowing entry of the password.

0 comments

kondbg9y ago

This also provides zero additional security for the end user. Offering security questions and/or images that a user selected does not prove that the site is legitimate, since a phishing site can literally be a reverse proxy to your bank's website that just logs all form values. You can accomplish this in < 15 lines of nginx configuration.

Adding "verification images" or security questions that you set up does not prove that a site is legitimate. A successfully established HTTPS connection to the bank's domain is necessary and sufficient to guarantee authenticity (and most banks use EV too, which browsers make extra obvious).

Users should be trained to look at the URL bar for the green EV indicator, instead of being trained to believe that a site is legitimate simply because it displays a picture that they select. Banks that encourage this behavior are actively encouraging users to become even more gullible to well-crafted phishing attacks.

bbcbasicOP9y ago

You are correct.

I consider it just one factor in authenticating the bank but I see your point it could make people less aware or complacent of the EV etc.

colin_fraizer9y ago

Have you played "What's Your Porn Name?" You combine your first pet's name and your mother's maiden name...

j / k navigate · click thread line to collapse