Hacker News new | past | comments | ask | show | jobs | submit login

Many people won't check the url when signing in if everything looks to be on the up and up. This is why I really liked one of the things Yahoo did which was create a sign-in seal. Every time you signed in Yahoo would display a custom image that you set and if that image wasn't there then something was probably wrong.



Here's some more info on that: http://security.stackexchange.com/questions/19155/effectiven...


As a note, I think many banks have now removed security images. My bank used to have them, and now they don't.


That's incredible. Not sure if I underestimated hackers ingenuity or underestimated how gullible people are..


I don't think it's gullible for a user to proceed when they see a site missing an image, I think it's gullible that an engineer expects that the user would notice without any actual evidence. seems like a cardinal sin of engineering - don't assume your users will behave a certain way.


I don't know if it's "gullible" so much as not understanding or caring about the feature.


I've run into several websites that use the "security image", and to be honest most of them I don't actually remember what they are until I see them. I can't choose the image myself, so one of them is something banal like a toaster. If I see the toaster, okay, I'm good. But am I 100% certain that if I see a banana instead that I'll say "Something is amiss here!"? I really don't know.

On the other hand, if I could upload my own security image for each site, I guarantee I would remember it, because I'd probably use something I drew myself.


My bank has security image + security user written sentence.

If I don't see a big goofy dog saying "Who's a good boy? [my dog's name] is a good boy!", I know I'm not on the right website.


So, what's stopping the wrong site from making those requests to your bank and proxying the image?


The bank sets a cookie on your machine and only displays the image if you have the cookie. You won't get the image on a machine you've never used to log in before.


Couldn't the hacker just pass on the username that I assume is being used to select the photo on the real site, and then put that image in place on their fake login site?


My bank (ING Direct) had that. And then they were bought by Capital One, who removed it.


Did you refuse to sign in without it?


That would have been bad for me but not for the bank. I called them, got a non-answer, and was too apathetic to push harder.


ING-Diba in Germany is still doing this. Here, I am assuming that ING Direct is the same folks as ING-Diba.


But phishers can praxy the 3rd party site to you. And this isn't hard to do. It might help w/ your relatives, but for anything even mildly targeted you can certainly rent a couple t2.nano to pull this off...


Yup. Verizon Wireless does this as well.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: