Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
7
Archived

How secure is it to have use just the username to display an image (without password)?

A solution is floating near my company to implement a kind of yahoo-like web stamp, only bound to the username. This means that the user will enter their username, press enter/submit, and in the next page an image (that the user has previously selected) is displayed, and the user then enters the password.

This is different than what Yahoo does (which displays an image before you give a username/password), which is bind an image to a cookie.

Is this a bad idea? My spider-sense is tingling very much, but I'd like to hear other opinions on this.

EDIT: I understand that the worse than can happen is retrieval of usernames. That's what I would try to prevent (just having a username leaves you susceptible to denial of service attacks). Suppose that in the case of an invalid username, an image based on the (appropriately salted) MD5 of the username turns up, instead of the user-defined image.

62 comments
61% Upvoted
This thread is archived
New comments cannot be posted and votes cannot be cast
level 1
14 points · 8 years ago · edited 8 years ago

Unless I am reading this incorrectly, Bank of America does this. You enter your user name (and the state your account is in if you don't have a cookie on that computer yet), then it brings you to the next page which has an image and a title, both of which you supply. Right below the image, it has the password box.

Supposedly to prevent phishing attacks which have a webpage that mimics the real one.

level 2
5 points · 8 years ago

I use BOA and yes, it does this.

level 2

Supposedly to prevent phishing attacks which have a webpage that mimics the real one.

I wonder how effective this really is against a spoof site doing MITM.

level 3
[deleted]
1 point · 8 years ago

Because using tools like sslstrip, I can forward their web traffic to BOA, but my system will likely pull a different cookie. I don't have BOA, so I'm just guessing. If anyone with BOA wants to test this, I'd be happy to walk them through getting sslstrip set up.

level 4

What I mean is a spoof site issuing requests to BoA. User puts in their username and their state to the spoof site, spoof site turns around and issues that same request to BoA, returning the results to the user. No sslstrip needed.

Sure, you won't pick up the cookie. Who cares? The customer routinely has to reselect their state.

level 5
[deleted]
1 point · 8 years ago

You're right, sslstrip actually might even be able to pass along the cookie from the client. A full spoof site however would have to request a new one and forward it on.

Doesn't BOA ask you a security question to "authorize" a computer for your account? I would think spoof sites would become apparent very fast with so many different users "authorizing" a system. Probably still enough time to rip off a few accounts though.

level 6

I would think spoof sites would become apparent very fast with so many different users "authorizing" a system.

Isn't that the huge advantage to being in control of a giant botnet?

level 7
[deleted]
4 points · 8 years ago

Good point. Everyone should have a botnet. They're so useful. :P

level 8

Agreed

level 6
[deleted]
2 points · 8 years ago

One nice feature they have is that I get texted whenever somebody tries to authorize a new computer or transfer funds outside my accounts.

I suppose I could still be in for a MITM attack, but I kind of like the idea.

level 7

But if you are authorizing a "new" computer (ie via a spoof site), that text message won't be suspicious. The user simply assumes, "oh whatever, BoA forgot my computer." You'll only get a warning about the funds transfer after the fact.

level 8
[deleted]
1 point · 8 years ago

I mostly like it for the transfers out. I really don't know anything that would protect me from logging into my bank from an unsecured computer or MITM attack

level 9

Secondary authentication factors, like the Blizzard authenticator and other security tokens.

level 2
2 points · 8 years ago

Same with Bank of Montreal in Canada.

level 2

I use National City, and they do this too. Though, as i remember, you can only choose some pre-selected images. None of which are too appealing.

level 2

Univest does this as well.

level 1
11 points · 8 years ago

I'm surprised no one has pointed out the more significant security problem here. The biggest risk isn't that you'll disclose valid usernames, the risk is that any smart phisher will just pass the user's request on to the real website, retrieve their image, and show it to them.

Showing a custom image only stops the dumb phishers. It's wide open to man-in-the-middle attacks.

level 2
Original Poster4 points · 8 years ago

Quite right - I believe this is the argument to kill this stupid project. Thank you :)

level 3

I think you will waste more time fighting this than you would just to implement it, and it won't really be less secure in any meaningful way so long as you use the salted hash solution to show fake images.

level 4
Original Poster2 points · 8 years ago

We have already lost a lot of time fighting it, thanks. Still, the fact that it makes the phishing site more "correct" with a simple man in the middle attack, has probably just killed the project.

level 2

If someone is subjected to a man-in-the-middle attack there's not much anyone can do, but at least this will do something. Even if it stops 1% of phishers, it's still better than nothing.

level 3
5 points · 8 years ago

Except it's not better than nothing, because now it takes me twice as many pages to log in :(

level 4

There's always an exchange between performance and security. =/

level 5
3 points · 8 years ago

except in this case there really is no increase

level 3
2 points · 8 years ago

Well, SSL certs are what's supposed to stop man-in-the-middle attacks.

But I agree that they do a pretty bad job of that.

level 4

What i meant to say was...

If someone, or an organization, actually decides they want to put the effort into doing a MitMA on someone else, that someone is going to be SoL. Unless they're expecting it, they wont even know what happened, even with all their 'security'.

level 2
[deleted]
1 point · 8 years ago

That, plus a short captcha, maybe. Stops a bunch of the smart phishers too, but the rest will just outsource the captcha...

level 1
4 points · 8 years ago

I may be way off here, but what is stopping the phishers from getting the image from you and showing it to the user trying to log in?

level 2
2 points · 8 years ago

This is why I have a backup plan: be poor enough that if they gain access to your account you can laugh at the fact that they just wasted a lot of their time.

level 3
3 points · 8 years ago

Ah, the good ol' security by poverty.

level 2

That's actually a good question, I haven't thought about that.

I suppose since they are targeting more than one user at once, the bank can see requests for many users coming from a single connection or in bursts and try to isolate who the phishers are? Maybe? I'm not sure to be honest. I'd love to hear another opinion on this.

level 3
Original Poster2 points · 8 years ago

I would assume use of a botnet, but MITM is a very real threat in this case.

level 1
4 points · 8 years ago

Don't waste your time. Nobody looks at those images. It's pretty straightforward for phishers to get around them.

I don't really buy the username harvesting issue; it's just as easy from a bot's perspective to test a username for existence using a registration process, unless you CAPTCHA that.

Really, it's not that this is a security risk, except perhaps in that it's almost entirely security theatre. Users don't get what the hell the thing is for, and if Bank of America can't educate them, I doubt you can. The people who actually confirm the picture are the same ones who confirm the SSL lock and who confirm the URL.

To quote one of the linked articles (pejorative revisions mine), "A bank using [stupid picture bidirectional authentication] is no less secure than any other online bank - it's just not appreciably more secure than the others."

Also, I'm not sure why you'd want to salt a hash of a username just to generate a photo.

level 2

I think the point of salt/hash/username->photo is to provide a random image that doesn't change over time, so there are no clues to an attacker which usernames are real and which are unused.

level 3

Right, but there seems to be no need for a salt.

level 1
2 points · 8 years ago

My bank does exactly this, although they'll verify a security question before this next step.

I think it's a minor security issue, because it allows an attacker to determine valid usernames.

level 2

Not if you show images whether the username is correct or not.

level 3
1 point · 8 years ago · edited 8 years ago

In that case, you have to implement storage of images for every username you've shown an image for, possibly opening you up to denial of service attacks. You can't just show randomized images, because an attacker will be able to detect that by trying the same username more than once at an interval.

Edited.

level 4
3 points · 8 years ago

You were doing good until the "reverse engineer your hash" part.

Pick a good cryptographic hash and that's just not realistic.

level 5

Ok, you got me there. With a good enough hash, it will probably be pretty hard for an attacker to differentiate between a random image for an invalid username and the correct image for a valid username.

level 4

Why would any attacker bother in lieu of phishing? You're throwing out very time-intensive hypotheticals when the image solution handles the very real and cheap possibility of a man-in-the-middle attack.

level 5
2 points · 8 years ago

How would the image help with a man-in-the-middle attack? Couldn't you just request the image from server and pass it on to the client?

level 6

Obviously for a perfect man-in-the-middle it wouldn't be any good, but there are a lot of circumstances where you don't necessarily have access to the server, or script kiddies who have just set up a site that looks like BoA, but really isn't. The point is it's a line of defense, and the benefits outweigh the risks (which are minimal.)

level 7
2 points · 8 years ago

So we agree that it's a good defense for a phishing attack.

level 1

Good question.

I don't know the answer, but it sounds similar to what a company called Vidoop did in the past. They went out of business but it wasn't for security reasons.

E: hmmmmm, they have a website up. I could have sworn they went out of business.

level 2

It's really similar only insofar as an image is used. Vidoop used a grid of images that the user employed to enter a shared secret for client authentication.

Showing someone a security picture is supposed to provide "bidirectional authentication", which is a load of crap. It doesn't really make the service any more susceptible to username harvesting than a registration process does, but in my view it adds literally nothing to security.

level 3

I was waiting for you to show up.

What is the picture supposed to authenticate? That you're talking to the real site and not someone hijacking or eavesdropping? Don't certificates already do that?

level 4

Exactly. But people don't look at the address bar for the lock. They also don't check to make sure the URL is right. They also ignore certificate warnings, even the Firefox ones that require about multiple active steps to ignore.

So, clearly, they'll look at their easily spoofed picture. Like I said, it's a load of crap, which the research confirms.

level 1

Sounds like a bad idea, you could probably brute force something like that very quick. Whats wrong with a good password?

level 2
Original Poster3 points · 8 years ago

This is supposed to show some picture to the user before he logins, so that he can identify that the site is not a phishing site (so that he doesn't give his credentials to a phishing site)

level 3

If you have a spoof site that can make requests to your authentic site on behalf of the user (in other words, MITM) then using the username will not prevent spoofing. If, on the other hand, you forced the image to be associated with a cookie somehow so that the browser must match the domains up correctly, you can circumvent the MITM by failing to show the correct picture.

That is, until the user tells the spoof site what the correct picture is. :/

level 4
Original Poster1 point · 8 years ago

Damn, you're right. I didn't think of MITM attack for the username! Good catch! :)

level 5

Basically, an attacker can intercept and replace anything you can put in the page, so the best anti-phishing measure is to get an SSL certificate.

level 6
Original Poster1 point · 8 years ago

There already is an SSL certificate in place. The point is that on the users don't look at the address bar, or at the SSL lock, or even at the color of the address bar. However they may look at an image that is in a page, especially if it was user-selected. Of course, as duplico already mentioned, no-one really looks at these images.

Of course the phishing site can also download the image from a HTTPS site - it's marginally more difficult :)

level 7

Indeed. If you're going to include an image in the page, include the one that shows a screenshot of their browser's bar and says "DO NOT PROCEED IF YOUR BAR DOES NOT LOOK LIKE THIS!".

It'll even serve as a good indicator if the spoofing site removes it.

level 3

Ah ok, I thought you were replacing the password with an image check. This is already done by many online banking websites. Definatly a good idea for a consumer level website as most people tend to be more visual than anything else.

level 1

are users really so stupid we have to go to these lengths? wow.

level 2
Original Poster2 points · 8 years ago

Obviously, since users do fall for phishing schemes. They obviously do not check the url, or the certificate, or the color of the address bar, but they will <sarcasm>surely</sarcasm> notice yet another picture because they selected it themselves.

level 1

Is it possible that one motivation behind this is to prevent the browser from saving the login/password? I know that, eg, Safari and Firefox won't prompt to save a form which contains only a password input.

level 2
Original Poster2 points · 8 years ago

it's much easier (and more standard) to add the autocomplete="off" to the form to prevent the browser from saving them.

level 3

That's true. But it does expect some minimal level of competence from whoever it was that decided on the policy.

Alternately, it could be to make it hard(er) for browser-based badware which looks for username/password forms… But that's less likely.

level 1

my bank uses this as well, picture is only prompted on password screen.

Community Details

275k

Subscribers

411

Online

A community for technical news and discussion of information security and closely related topics.

Create Post
r/netsec Rules
1.
Always link to the original source.
2.
Titles should provide context.
3.
Check the new queue for duplicates.
4.
Commercial advertisement is discouraged.
5.
Don't create unnecessary conflict
6.
No prohibited content or sources
7.
No low-quality or political posts
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.