Hacker News new | past | comments | ask | show | jobs | submit login

Simple solution for tech savvy users. All system prompts should include a photo of a user selected image. If the incorrect image is displayed you know its a scam.

For example when I install Windows 8 or Mountain lion one of the first prompts I must address is:

   "Please choose an image to help you identify 
   valid system prompts"
The user is then presented 10 images (a tiger, a house, a moose, etc) from a library of 10,000 images.

   "The user decides to use an image of a tiger"
Next time a user gets a system prompt if the system prompt doesn't have the picture of a tiger they know its a fake prompt.

See site key: http://en.wikipedia.org/wiki/SiteKey




Tech savvy users are not the main problem in malware.

The whole SiteKey/tiger image solution only gives you an illusion of the solution. What happens when the system displays "System error, unable to display the image?" How will a convincingly-written error message prevent your average gullible or below-average competence computer user from logging in to a phishing site?

Think of how many things can go wrong on a computer. Think of every time when someone asked you why something works one way in this situation, but another way in another situation, and you had to use a technical explanation (excuse, really) for that inconsistency. Computing is full of that. Until we get to a place where people can actually TRUST and expect consistent behavior in their computing devices, the SiteKey/tiger will be well circumventable.

As far as I'm concerned, SiteKey is a brilliant business idea for selling to satisfy the regulatory two-factor requirement, but a terrible idea in practice.


Take a cue from banks, and add a "confidence word". The user enters a special phrase such as "myspecialword". If "myspecialword" does not appear in the corner of the dialog box, they will know it's fake. I doubt there would be many technical issues that would prevent a simple phrase like that from displaying in the corner of the box.


What if it shows "PHP Parse error: syntax error, unexpected T_VARIABLE in ..." where the confidence word should be? Or better yet "ConfidenceWord database is empty" - something pseudo-techy that clearly implies a temporary f#ckup on bank's side.


Hopefully they have a better system so that if anything breaks on the page, the returned result is an error page / code.


The problem is not if the bank's site breaks; the problem is what happens when a phishing site displays "error: connection to ConfidenceWord database failed". What percentage of users will say "oh, the bank's site is messed up; let's go in anyway"? A high percentage.


I hardly believe any technical solutions on the bank's website is going to prevent any phishing sites to mimick it. People have to learn to recognize phishing sites and electronic communications phishing tactics just like they have to learn to spot fake ATM.

Frankly, I believe it's not something you can make happen. I remember a story here not long ago about honeypots in China and businessmen getting full briefing and warnings by the MI5 before leaving the UK and some would still leave their computers and smartphones powered on near the bed. I think it's the same with some users: they just don't learn and never will (I have another theory that states they don't want to learn anything about computers and that it should magically read their minds but I always end up cursing when I try to explain it and besides it's not the point :).


What I never understood is why an attacker couldn't just mirror the user's actions to the real site and scrape the confidence image or word from there to show on the phishing site. What am I missing?


I use (unfortunately) Bank of America online banking and if I don't see the SiteKey or really if there is any error at all during the signon process then I leave and immediately start Googling for Bank of America security breeches in the news. If I don't find anything, then I try to login again the next day.


Not to pick on spelling in a spelling thread, but quite frankly "security breeches" sound awesome :)

Unless of course they're adult diapers for the discerning (and ageing) security professional.


Oh, common.

  Username: ____
  Password: ____

  Please note that as of June 7th 2012 the system prompt
  image identification system has been deprecated and
  being replaced with new security measures.

  If you have any questions or require assistance, contact
  technical support at support@bank.com
How many tech savvy persons would not be even a bit surprised by their bank legitimately doing something as retarded as this?


I wouldn't be surprised.

Some fairly large banks here in Norway have at times ran with a not-completely-valid SSL certificate - making the bank login indistinguishable from a man-in-the-middle.

Answer from their phone support? "Oh yeah whenever you see that warning, just click 'allow' or 'ignore'."


My bank used to do this, and I never quite understood why. An attacker could easily mimic the site's behavior.

1. Attacker prompts me (or my grandmother) for login name. 2. Attacker gives login name to bank. 3. Bank serves proper image to attacker. Attacker stores image. 4. Profit.


Yes, that type of security image is vulnerable to man-in-the-middle attacks but that is not what was proposed.

The parent poster suggested that all system messages have the security message. The user is not prompted for some sort of id first, they're already using the computer and are presumed to be logged in.

This is the right way to use security images, IMO, although they're still not perfect as others in the thread have pointed out. The way you describe, which I believe BoA uses (just hearsay), is bad security.


The mitigation for that is asking you for a security question before showing you the login image and asking for password.


Can you explain how that fixes the problem? I'm not sure I understand.


It doesn't -- at all -- the obvious workaround is to extend the middleman game a little longer and pass the user's answer to the site.


It does in that if the real site properly stores a cookie that records that you've logged in from there before, the number of times that the user is asked for such questions goes down, increasing suspicion when the user actually IS asked for them.

Security is never about 100% guarantees. It's about reducing the exploitability and impact of weaknesses.


It mitigates a little. It should make you a little suspicious if the site suddenly starts complaining that you're accessing it from an unrecognized computer if you really haven't. I'd close the tab in that case.


It doesn't. The entire idea is seemingly cheap and ridiculous. Digital security is going to change dramatically in the near future.


Enough users will end up using certain images such as the tiger making it worthwhile to fake a prompt.


   "The user is then presented 10 images (a tiger, 
   a house, a moose, etc) from a library of 10,000 images."
I should have made this more clear. The ten images are chosen randomly from the group of 10,000

The question is: are there 10,000 images that are different enough people won't be fooled. Say my picture is a green house. And a prompt has a picture of a red house, will I accidentally think its the right site key?

The good news is most people won't even have a picture of a house as their site key so it will protect a large percent.


That is a fair attempt. The weak point of course is the bit of data which stores which image you chose. If the attacker is able to read that, then he can display the right image.


There are other problems.

1) If the attacker can scrape the screen, they can detect which image you are using - securing the entire pipeline to the screen is hard.

2) 10,000 images is way too few.

Even if we can assume an even distribution of images, as an attacker I can serve the same image to all targets, 1 in 10,000 will now think that they are interacting with a trusted component




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: