Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unless, of course, a reasonable implementation were used, tying the image to a cookie and using the browser security to prevent it being sent to different domains; if you're on a subdomain of a bank already, there are far more effective ways to execute an attack.


This is exactly how Yahoo implemented this. The downside is that you have to select a new "sign in seal" for each browser/computer that you use.


All an attacker has to do is present the "we don't remember this computer" screen and ask them to setup a new image once they "log in".


Exactly. Any proper implementation of this kind of security should not depend on the username, this would entirely break the purpose.


Bank of America ties it to your user name, which is one of the reasons I quit using them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: