From password to image security: Is your bank account really safe?

New software may add extra security but banks believe the process hampers convenience of online use

Internet security experts have long known that simple passwords do not fully defend online bank accounts from determined fraud artists. Now a study suggests that a popular secondary security measure provides little additional protection.

The study, produced jointly by researchers at Harvard and the Massachusetts Institute of Technology, looked at a technology called site-authentication images. In the system, currently used by financial institutions like Bank of America, ING Direct and Vanguard, online banking customers are asked to select an image, like a dog or any other. This image will appear every time the customer logs on to their account and just in case there is no image, it could be at a fraudulent website, dummied up to look like their bank’s.

The Harvard and MIT researchers tested that hypothesis. In October, they brought 67 Bank of America customers and asked them to conduct routine online banking activities after secretly withdrawing the images.

Story continues below this ad

Only two out of all the participants chose not to log on, citing security concerns. The rest entered the passwords anyways. “From the study we learned that the premise is right less than 10 percent of the time,” said Stuart Schechter.

The system has some high-power supporters in the financial services world, many trying to comply with new online banking regulations. The introduction of new downloadable security software or some hardware device that’ll require PIN codes would add an extra layer of security but the banks believe that it detracts from the convenience of online banking.

Rachna Dhamija, the Harvard researcher who conducted the study, said that it demonstrated that site-authentication images are fundamentally flawed and, worse, might actually detract from security by giving users a false sense of confidence.

–Brad Stone