Sitekey: The Emperor's new security system? 28 Nov 2007

Have been meaning to post about this for a while now...A joint study by MIT and Harvard found that the "SiteKey" system employed by companies like Bank of America, ING Direct and Yahoo! is ineffective in protecting users against fraudulent sites (i.e. phishing).

The SiteKey system works by assigning an image to a user's account (say, a teddy bear, for example) and then displaying it whenever the user attempts to log in. If the image is missing or does not match the one associated with the user's account, the user should deduce that the site isn't authentic, and thus refrain from entering her username and password.

My reading of the findings of the MIT-Harvard study is that there's little wrong with the Sitekey system in theory...it just doesn't work in practice. The results (based on the testing of the Bank of America site) shows that the vast majority of people ignore the SiteKey images. Of the 25 participants who were using their real account details, only two declined to enter their passwords when the site-authentication image was missing. While none of the other 42 participants (i.e. those using dummy accounts / login details) spotted that this cue had been omitted.

[via Montparnas]