Thursday, December 27, 2007 At 5:58PM
It seems like every day I hear about a new web-based authentication technique intended to enhance user security and/or thwart phishing scams. This is especially common in the banking world, where most applications are starting to use strong two-factor authentication. Unfortunately for most of the larger consumer web applications, implementing strong multi-factor authentication (i.e. Smart-cards or SecureID) is just not cost effective or practical when you have several million users. As a result, these applications must resort to other creative ways to strengthen their authentication.
One increasingly popular practice is the use of security images (known as “watermarks”) to thwart phishing scams. For those not familiar with this concept (generically known as site-to-user authentication), it’s supposed to like this:
During registration, the user selects (or is assigned) a specific image. The image is one of potentially hundreds of possible images and is intended to help user distinguish the real web-site from an impostor. The actual act of authenticating to the website is split into the following three steps:
- Step 1: The user submits their username (only) to the website
- Step 2: The website shows the user their personal “watermark” image, allowing them to verify that they are at the correct site.
- Step 3: If the watermark image is correct, the user should enter his/her password to complete the login process. If the watermark image is not correct (or not shown), the user should not proceed as they are likely not at the correct website.
The general concept is pretty simple, and was pioneered by PassMark (acquired by RSA/EMC) several years ago. The concept (and PassMark) has been the subject of much scrutiny by both the FFIEC and security researchers in recent years, who have even published papers outlining various ways in which this scheme can be abused and subverted. What I find most interesting is that, in addition to all of the potential technical flaws that have been identified with Passmark (and similar concepts), it seems to suffer from an even more critical and fundamental flaw ‘ that most users just don’t understand it.
A study published earlier this year found that 97% of people who use an image oriented site-to-user authentication scheme (as described above) still provided their password to an imposter website even though the correct security image was not shown. Even worse, it seems that some of the companies who implement this authentication scheme don’t completely understand it. Consider the following real-life example:
Like many folks this holiday season, I found myself at a department store checkout counter faced with the question that every retail clerk is programmed to ask (“Would you like to save an additional 15% today by opening up a new credit card?”). Normally I decline this offer while the clerk is in mid-sentence; however, on this day I proceeded to open an account.
A few days later, I went online to pay my bill and quickly noticed the site touting its *high security* (this seems to be the marketing norm these days). During the registration process, the site forced me to pick a “Security Image” that is used to protect me from phishing scams (ala PassMark). Knowing how this process is supposed to work, you can imagine my surprise when my subsequent login to the website looked like this:
Screen 1: Login Screen (requesting user-name and password)
Screen 2: After authentication (displays my security image)
What’s wrong with these pictures? Unfortunately they don’t show me my security image until after I have completely authenticated to the website (instead of before I provided my password)! Clearly there seems to be a lack of understanding and/or education somewhere on the other side.
A quick survey of some non-technical friends and relatives during the holidays also served to further confirm my suspicions. While all of them use at least one banking/bill-pay website that incorporates the use of a security image (“Oh yea, I have a special picture that they show me every time I log in”), not one of them could explain what the image was for or even whether it gets shown to them before or after they provide their password.
The takeaway here is that (not surprisingly) end-user awareness still, and likely always will be, a fundamental component to the success of any good security measure. There is little point in implementing a new security mechanism (especially one that depends on the user understanding it) unless the appropriate steps have been taken to ensure that everyone has been properly educated.
Author: Brian Holyfield
©Aon plc 2023