You’re logging on to your bank account, and you have to navigate a new layer of security designed to ensure you’re really on your bank’s site. You’ve been told that if an image you’ve chosen—a drawing of a muffin, say, or a toy drum—doesn’t appear, you shouldn’t enter your password and proceed to your account. But you’re in a hurry, you need to check your balance and pay a bill, so you go ahead and log in.
 That’s exactly what people almost always do, according to a recent study by Harvard and MIT researchers. And that pretty much defeats the purpose of this latest antifraud measure.
The image system, adopted by several major banks and other financial institutions, is supposed to be a convenient way to make sure you’re not on a fraudulent site that only looks like your bank’s site. But the system requires you to decide whether to proceed if the image is absent, and in the Harvard/MIT study, almost all online banking customers went ahead and logged on to their accounts.
The study actually tested three levels of security. The first involved the padlock icon that appears on the lower right corner of your browser screen when you have a secure connection. The second was the image system, and the third was a screen warning saying there was a problem with a site’s security certificate. Not a single user in the test was deterred by a missing padlock, and 58 of 60 users entered their passwords even though they didn’t see the security image they’d chosen. Only the strongly worded warning page was somewhat effective, and even then, more than half of the study participants proceeded to their accounts.
In the Harvard/MIT study, participants were divided into three groups. Those in one group used their own accounts to perform specified online banking tasks, while participants in two other groups were assigned roles to play. One role-playing group also got a warning about security. But those who were warned turned out to be even more cavalier than the others about ignoring security red flags. Only the participants using their own accounts were slightly more cautious.
The study authors worry that the site-authentication images give online banking customers a false sense of security. One bank assures its customers that providing their chosen images means they’ll know immediately that it’s safe to enter the login PIN. Another says, “when you see your image, you can be confident that you’re on [our site] and not an impostor site.”
The site authentication images are only one security measure banks employ. Most, for example, also send “cookies” to the computer you normally use and require you to answer security questions if you log in from another computer. But the new image systems are supposed to provide an additional layer of security—and if you’re like the participants in the Harvard/MIT study, that’s not likely to happen. |