Technorati Tags: identity
A man-in-the-middle attack against Bank of America’s SiteKey service reinforces the same point, although it has to be noted that it is not transparently obvious that schemes like this (that show you pictures of your grandmother or whatever when you log in) are particularly effective. A study produced jointly by researchers at Harvard and the Massachusetts Institute of Technology looked at the technology in some detail. Online banking customers are asked to select an image that they will see every time they log in to their account. The idea is that if customers do not see their image, they could be at a fraudulent site and should not enter their passwords. The researchers invited bank customers into a controlled environment and asked them to conduct routine online banking activities. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns because of the missing images.
It’s boring to keep re-posting the same thing, but we need end-to-end security: this means use tamper-resistant hardware to store digital identities. What are the barriers?
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]