A lot of banks have started adding a security image and / or phrase to the login process in order to help prevent phishing.

It works like this. When you set up your account, you chose a picture from a list (usually things like puppies, kittens, bicycles, cars, etc), and you enter a phrase that will be displayed with this picture. This is stored with your account.

Later, when you login you first enter your username. You are presented with the picture and phrase to prove that you are at the bank’s true website and not a phishing site that just looks like your bank’s site. On this second page, you verify that the image and phrase are correct, then enter your password with confidence.

Sounds like a great idea, right? I thought so to at first, and a lot of people think that it is a very good security measure.

Unfortunately as currently implemented there is a serious flaw in the logic. What is to stop a phishing site from programmatically requesting this image and phrase on your behalf?
A Captcha would not help either. The phishing site could simply pass the captcha to the user, and the result back to the bank site.

No, this creates a false sense of security. By telling people that these features ensure the site is genuine, they will more readily believe it when a phishing site provides the same “security”.

I believe I could make a proof of concept, but with the current state of freedom in the US, I’d probably go to jail for it.