Today I will present four of the top security features that web sites implement to try to keep you safe online. And then I will tell you why each one is bogus. While these techniques range from the merely annoying to the moderately dangerous, the one thing that they have in common is that they are so misguided that you should be slightly concerned if you see these on sites that you use. If these features pass as good ideas in the minds of the developers, then who knows what other untold horrors lurk in the sites' code?
1. The Virtual Keyboard
A virtual keyboard is an on-screen keyboard consisting of buttons that represent keys on your keyboard. The keys are usually placed in a random order, and you are prevented from typing in your password normally—you have to type it with the on-screen keyboard. So-called security "gurus" claim that this prevents keyloggers from stealing your password. While this may or may not actually be true, it is completely irrelevant, because it is trivial for software running on your computer to get your password anyway. This can be achieved in a number of ways, but one way is through accessibility interfaces that many browsers expose. These interfaces allow other running programs to read information on the web pages you are browsing, including the password you just virtually typed in. This isn't a bug, it's a feature; there are a number of legitimate uses for this functionality—screen readers are but one example. The point is that this type of power can be used by programs for good or for evil. So if you have an evil program on your computer that's reading your keystrokes as you type them, then you need to go to the root of the problem, which is the malicious software installed on your computer, instead of hoping that a band-aid solution like a virtual keyboard will protect you.
And we haven't even gotten into how virtual keyboards kill usability and accessibility. Using the mouse to click virtual keys that are randomly placed and are the size of Micro SD cards is a tedious affair. It's even worse if you don't have a mouse and are forced to use your (real) keyboard by pressing Tab and Shift+Tab dozens, if not hundreds, of times. GRRRRRRRRRR.
2. Blocking Right Clicks
This feature goes beyond pseudo-security and touches upon pseudo-copyright protection also. Here are just a few of the reasons that developers may use to justify blocking the right-click context menu on web pages:
- To prevent users from downloading images on the page
- To prevent users from viewing the page source code
- To have greater control over the users' experiences
Notice a common theme in that list? It's all about limiting users and what they can do. Good software shouldn't limit people, it should enable people. Furthermore, this technique is a joke because it's not even capable of keeping users from doing any of those things. It provides no protection whatsoever and it just hinders the majority of visitors to the site who are not image thieves or computer hackers. So if you ever come up against a context menu that won't open, just use any of these techniques and you'll be a 1337 h4x0r too:
- Press the Application key (on Windows keyboards, the key with a picture of a menu on it)
- Press Shift+F10 (Windows only)
- Disable Javascript in your browser and right-click away.
3. The Security Image
This technique seems to be favored by banks and credit unions. Security images are meant to protect against phishing attacks. The theory of operation is that you choose an image when you sign up for an online account, and then on subsequent visits, the server will display your image. That way, when you see your image, you will know that the site is authentic and not a lookalike phishing site, because the lookalike site doesn't know what your image is. This technique is actually a fairly good idea, except for the fact that attackers can still very likely trick many users into logging into their fake sites by lying about why their images can't be shown. All they have to do is say something like "the image server is down," and users will fall for it.
Security images aren't necessary because there is already a superior method in use today for verifying the identity of servers—Secure Sockets Layer (SSL) certificates. SSL certificates are superior because they don't place the burden on you to determine if the site is authentic or not. If a site has been issued a certificate, then you know that the certification authority has investigated the company operating the site and has determined that it is legitimate. So remember, next time you visit a secure site, look for the lock icon in your browser!
4. The Security (or Challenge) Question
Security questions are those personal questions to which sites require you provide answers, so that you can answer them in the future if you ever need to prove your identity. They normally come in sets of three, and they usually require such arcane knowledge as your favorite color or your first pet's name. The questions are such that you should be able to easily recall the answers from memory, but other people should not be able to guess those answers. That sounds great in principle, except for the fact that the answers to those questions are usually too easy to come by. Mother's maiden name? Place of birth? That kind of information is available in public records! And any other information an attacker would need to answer those questions could be obtained via social engineering attacks. This type of "security" feature is dangerous because while it is meant to make things easier for the users, it really just undermines their security and the security of the entire system.
So if you are ever forced to use security questions, how should you handle them? Use random text for the answers. Want to know my favorite movie? S]ujv1)_EB8D. And the color of my first car? KSf$.CPP]uB2vry. Of course, random answers are much more difficult to remember (which is the whole point), so you may need some sort of system for remembering them—not to mention all of your passwords.
Subscribe