[Cryptography] [FORGED] Re: So please tell me. Why is my solution wrong?

[Peter Gutmann]

Bill Cox <waywardgeek at gmail.com> writes:

>Can you elaborate a bit on the research?

Sure, here's an abbreviated cut&paste from the refs in the book.  

tl;dr: Site images are yet another example of the Simon Says problem applied
to security, you have to notice the absence of a stimulus to realise that the
security isn't present.  Most site images can be defeated simply by omitting
them, or if you're really keen, displaying a broken-image-link image or text
saying that the security on the site is being upgraded and images will return
presently.

Peter.

"First live SiteKey exploit seen in operation", Jim Youll, October 2007, CR-
Labs.

"Security Watch: Passwords and Credit Cards, Part 1", Jesper Johansson,
Microsoft TechNet, July 2008.

"The Emperor’s New Security Indicators”, Stuart Schechter et al, Rachna
Dhamija, Andy Ozment and Ian Fischer, S&P’07.

"Security Usability Studies: Risk, Roles and Ethics”, Rachna Dhamija, CHI 2007.

"Conditioned-safe Ceremonies and a User Study of an Application to Web
Authentication”, Chris Karlof et al, NDSS’09.

"Modifying Evaluation Frameworks for User Studies with Deceit and Attack”,
Maritza Johnson et al, 2008.

"[Prg] Malware Case Study”, Secure Science Corporation, November 2006.

"Malware Targets E-Banking Security Technology", Brian Krebs, November 2007.

"Phishing kits take advantage of novice fraudsters", Paul Mutton, January
2008, Netcraft.

"Learning More About the Underground Economy: A Case-Study of Keyloggers and
Dropzones", Holz et al, University of Mannheim TR-2008-006.

"Security Theater on the Wells Fargo Website", Don Bixby, March 2013, Schneier
on Security.

"Studying the Effectiveness of Security Images in Internet Banking", Lee et
al, W2SP'14.