[kondbg]

I've never understood why this is seen as a form of verification. What is stopping a phishing site from simply taking a victim's username and fetching the victim's corresponding image from the bank's website via simple scraping?

[bbcbasic]

My bank asks a security question if logging in from an unknown computer before offering the image or allowing entry of the password.

[kondbg]

This also provides zero additional security for the end user. Offering security questions and/or images that a user selected does not prove that the site is legitimate, since a phishing site can literally be a reverse proxy to your bank's website that just logs all form values. You can accomplish this in < 15 lines of nginx configuration.

Adding "verification images" or security questions that you set up does not prove that a site is legitimate. A successfully established HTTPS connection to the bank's domain is necessary and sufficient to guarantee authenticity (and most banks use EV too, which browsers make extra obvious).

Users should be trained to look at the URL bar for the green EV indicator, instead of being trained to believe that a site is legitimate simply because it displays a picture that they select. Banks that encourage this behavior are actively encouraging users to become even more gullible to well-crafted phishing attacks.

[bbcbasic]

You are correct.

I consider it just one factor in authenticating the bank but I see your point it could make people less aware or complacent of the EV etc.

[colin_fraizer]

Have you played "What's Your Porn Name?" You combine your first pet's name and your mother's maiden name...

[deegles]

I believe it is there so that you don't accidentally lock someone else out of their account if you enter in your username incorrectly (which I have done!)

[tvmalsv]

I had an account with ING Direct and when I created it they asked me what I would like to name it, so I simply entered "checking". Little did I know that you could also use that name as your login name (I always logged in using my account #, I thought the account name was just for display).

Took a few weeks to figure out why I kept getting locked out. Turns out the username "checking" is a pretty popular guess.

[panopticon]

That's probably why many of my bank/credit logins present that option anymore. Most of mine have moved back to the single-form style of login.