[JumpCrisscross]

> any criminal who wants to present a fake bank login screen also has to know the secret image as well

This mechanism is theatre:

1. User enters ID into fake bank website.

2. Fake bank website enters said ID into real bank website.

3. Real bank website shows fake bank website your "secret" image.

4. Fake bank website shows you your "secret image".

[lmkg]

Someone tried defeating the secret-image security... it turns out all it takes is a static image saying "Error with Secret Image Server, call us if the problem lasts more than 24 hours."

[jasode]

>3. Real bank website shows fake bank website your "secret" image.

I had left out some implementation details for brevity. Any first time use of a "new" computer to access the online account requires verification from the bank. (E.g. random code is emailed.) At that point, a bank cookie is set. The bank doesn't show the secret image unless the computer already has a cookie from a previous verification.

A fake webpage that tries to forward credentials to a "robo" browser on a computer in Russia wouldn't have that cookie so they'd never be able to see the secret image.

There are probably other security checks the banks do such as ip blacklists etc.

The secret image isn't foolproof but it's an extra signal to signify trust. Likewise, 2-factor authentication with mobile phones isn't foolproof either and can also be hacked.

[polyomino]

What if they open the bank website in a hidden iframe on the malicious site?

[majewsky]

X-Frame-Options: DENY

[Retric]

Banks should notice a new IP/browser and then force 2 factor authentication before showing the image. ex: Sending a text. Which would make Users far more suspicious as rather than a normal login they see one of those "we don't recognize your browser" screens. The bank can also track the 3rd party connection to their servers making this more tricky to get away with. So, while not fool proof done correctly it is actually very useful.

However, a website would not have access to the browsers image unless the machine was already compromised.

[Matumio]

Hm... the way I remember this feature (forgot where it was) is that your custom image is stored in your browser (localstorage?), not on the remote site. So when you see your image, you know it's the same origin. (E.g. not a similar URL with two letters swapped, I guess.)

[Ajedi32]

That's not an issue though if we're talking about the browser UI, as there's no way for a website (malicious or otherwise) to obtain secret image data from the browser.