Which why you run screaming away from these sorts of organizations.
If they are too fucking stupid to implement a password text field correctly just imagine the byzantine nightmares that their infrastructure is. All you are doing is volunteering to be part of the next major security breach.
They also have the silly "Security Image" which is supposed to alert me to a phishing site because I'm supposed to notice its absence. I'm guessing that's been effective roughly never.
I think the idea is that you enter your username and the site replies with the security image that you've chosen. If the image matches, you then enter your password.
By itself, this doesn't rule out a man-in-the-middle attack, but it might prevent an attacker from setting up bonkofamerica.com and using it capture valid username/password pairs "offline", which could be reused on the real site. Of course, this depends on people noticing (and caring) that the image is missing or incorrect, so who knows...
Set up your own site, remove any mention of the reference image, watch users continue normally. "Huh, they must have finally gotten rid of that dumb thing."
> it might prevent an attacker from setting up bonkofamerica.com and using it capture valid username/password pairs "offline", which could be reused on the real site.
Exactly so. That was a pretty frequent vector when those images became popular, so it wasn't a crazy defensive move. Even though there are ways for criminals to defeat it, proper mitm for one, those were more complicated measures that weren't as commonly used. Higher risks, development costs, trouble with scaling, or just unnecessary, for whatever reason, the static dumb credential harvesting pages that look "legit enough" were most common.
A company with limited defensive resources could approach security like a greedy algorithm. Just constantly ask, "How are most customers at institutions similar to my own getting compromised right now? How do I prevent that with as much blunt force as possible that I can deploy as soon as possible?"
That would probably get you some bizarre defensive solutions that reduce usability. But it's not an obviously crazy general strategy.
Well, major caveat: presuming you're at least doing the basics right. If you aren't bothering with hashes, then your men are already dead.
And presumably a halfway skilled attacker could proxy requests to the real site and send the user their actual image. So this only works if we assume the bad guys are lazy and the users are incredibly perceptive.
If they are too fucking stupid to implement a password text field correctly just imagine the byzantine nightmares that their infrastructure is. All you are doing is volunteering to be part of the next major security breach.