Pictures and fraud detection
If you haven’t had a chance to read the Harvard / MIT study on user’s lack of attentiveness to various visual clues, including the ludicrous “pick a picture” scheme popularized by Passmark, you should go give it a look. It is aptly titled “The Emperor’s New Security Indicators“.
Louie Gasparini, co-CTO of the consumer division of RSA, the security division of EMC stuck selling the Passmark site-to-user authentication technology was given a chance to respond to this study over at the Wall Street & Technology blog. My response to his response is the first comment on that page or for your reading pleasure, as follows:
I find it interesting that Mr. Gasparini would use the door lock analogy given that he’s arguing for a security system that is completely reliant on the equivalent of motion detectors alone in a physical security system. Fraud detection techniques, the invisible authentication he aludes to, is a perfectly reasonable approach in a layered approach, but not as the only layer. The Harvard / MIT study and Mr. Gasaparini’s own response point to the fact that the entire, supposed 2-way, 2-factor picture mechanic is nothing more than a “reassuring” device and of no security value at all. So where are the layers?
How many motion detectors, pressure pads, video surveillance cameras would you need to have in your house or business before you would feel comfortable to remove all the doors and windows? Yet, this is what consumers are being asked to put up with from those that want their online business, but aren’t willing to exert anything but the bare minimum to protect themselves and nothing to protect the consumer. Bank risk mitigation? Yes. Consumers though, feel good with your pictures, manage your own risk and good luck out there.
Until we security professionals can impress upon our business application colleagues / customers that we need to do something from the client side and not just the server side, customers remain on their own. “Caveat emptor” should be changed to “caveat surfer”.
I want to build on this in following posts. in the meantime, ponder who is to blame for the sad state of affairs that exists with regard to how chintzy and half-hearted efforts are to secure consumers, instead forcing them to be their own security experts when they can’t or won’t even follow the seemingly simplest instructions. Also, why do financial institutions fear customers actually calling them for a little security support more than they can envision the revenue upside of more customers actually using a more secure online channel confidently? When will online entities move to use true, strong security features as a competitive driver similar to when automakers embraced safety features as differentiating components?