davidwr's Journal: Banking login improvements - will they work?

My bank is adding a "security picture" to its login. You enter your username, then the bank shows you a picture you previously selected. If it's wrong, you call the bank fraud hotline. If it's right, you enter your password.

A man-in-the-middle attack can easily defeat this. Even a bot running on a zombie PC can defeat this:
Bot sends spam directing people to a properly-registered similar-spelling secure web site run by the bad guys. The bad guys get your userid, and pass it on to one of a thousand other zombie-bots who give it to your bank and gets the picture. The zombie-bot and fake web site act together for a man-in-the-middle attack.

The reason the zombie-bots are needed is so the bank won't notice a bunch of different account accesses from the IP address of the bogus web site.

The bottom line:
This won't work. What will work better:
* Smarter people who won't fall for spelling/lookalike sites
* Train customer to either type in the address by hand or use a pre-typed shortcut or Favorite, NOT links sent to them in email
* Provide customers with an application that, independent of the web browser, gets a password and/or one-time passcode, connects to the server, and does a preliminary login. At that point, anyone from your IP address will have 15 minutes to do a regular login. A spoofed-url-based man-in-the-middle attack will immediately set off alarms.