Picture-Based Anti-Phishing Device

By Deane Barker on July 22, 2006

I just saw an ad on TV from Bank of America touting a new anti-phising measure.

From what I could gather, you can pick or upload a picture. When you’re using the BOA Web interface, that picture will be displayed somewhere on the page.

The idea behind this is that a phishing site wouldn’t know what picture you had picked, so they couldn’t display it. So if you pick a picture of your cat, then you just need to make sure Fluffy is staring back at you from every page. That way you know you’re still on the BOA site and haven’t been hijacked by phishers.

Good idea? I’m not really sure.



  1. how do they know what to display before you log in?

    and if they don’t, isn’t it a little too late by the time you’ve typed in your username and password?

  2. They’ve actually had this feature for several months. The way it works is that you type in your user ID, but not your password, on one page. The next page shows you your “sitekey” image and asks for your password.

    “But that means anyone can find out my sitekey” you say. That’s true, if they know your user ID. Phishers generally don’t know their victims (phishers are usually spammers) so it’s unlikely that they would know their victim’s BofA user ID. It isn’t a perfect solution, but it’s better than nothing, I guess. The worst part about it is that the UI is pretty unfamiliar, and it would surprise me if typical users would even notice if they were shown the wrong sitekey image.

  3. What do you mean they don’t know your user ID? Of course they do. They know it the second you type it into their phishing site. And you can’t avoid typing it before seeing the image, since you’ll have to type it on the real page as well.

    Sounds much more silly than useful. All it will require is for the phishing site to get the image for you as a part of the process. Which they can easily do once you gave them your user ID, since at that point they do indeed know it.

  4. The site goes secure when you load it – before you’ve entered anything. It was my understanding that by doing this it makes a man-in-the-middle attack much harder.

  5. The type of man-in-the-middle attacks SSL prevents usualy involve domain name spoofing; phishing site don’t use that: they use lookalike domain names at best, random ones at worse.

    The fact that the website is encrypted doesn’t prevent in any way the phisher’s script from connecting to the site to grab the image itself. Relying on this is probably more a false sense of security than anything else, as the image is publically available and easily accessible.

    What I’ve seen elsewhere is a customised image for official emails sent to clients: if the email dosen’t have your image, then you assume it’s a fake. That’s somewhat more clever as there is no way a phisher could learn your image.

  6. Sending the unique image with the email does make much more sense.

    Though, somewhat ironically since it’s for security reasons, a lot of email programs and sites these days block images in HTML emails…

  7. OK – I see the vulnerability now.

    The biggest problem is that this is a social attack, not a technical attack. People don’t look at the address bar, they don’t look at the security indicator, etc.

    I’m going to go out on a limb here and predict that eventually banks are going to go away from the web browser as a client. The client may reside in a web browser (via java, activeX or some buzzword of which I am not currently aware), but the client will be end-to-end secure. Quicken is beginning to act like this kind of client with certain financial Still vulnerable to keylogging… Unless they start handing out dongles. (And even then you’re at the mercy of the encryption of the dongle), or secureID. And both those solutions are messy and expensive.

    Also, phishing is a failure of the customer’s security, not of the bank’s. So at the end of the day – it’s going to be the customer’s responsibility…

Comments are closed. If you have something you really want to say, tweet @gadgetopia.