Tech savvy users are not the main problem in malware.
The whole SiteKey/tiger image solution only gives you an illusion of the solution. What happens when the system displays "System error, unable to display the image?" How will a convincingly-written error message prevent your average gullible or below-average competence computer user from logging in to a phishing site?
Think of how many things can go wrong on a computer. Think of every time when someone asked you why something works one way in this situation, but another way in another situation, and you had to use a technical explanation (excuse, really) for that inconsistency. Computing is full of that. Until we get to a place where people can actually TRUST and expect consistent behavior in their computing devices, the SiteKey/tiger will be well circumventable.
As far as I'm concerned, SiteKey is a brilliant business idea for selling to satisfy the regulatory two-factor requirement, but a terrible idea in practice.
Take a cue from banks, and add a "confidence word". The user enters a special phrase such as "myspecialword". If "myspecialword" does not appear in the corner of the dialog box, they will know it's fake. I doubt there would be many technical issues that would prevent a simple phrase like that from displaying in the corner of the box.
What if it shows "PHP Parse error: syntax error, unexpected T_VARIABLE in ..." where the confidence word should be? Or better yet "ConfidenceWord database is empty" - something pseudo-techy that clearly implies a temporary f#ckup on bank's side.
The problem is not if the bank's site breaks; the problem is what happens when a phishing site displays "error: connection to ConfidenceWord database failed". What percentage of users will say "oh, the bank's site is messed up; let's go in anyway"? A high percentage.
I hardly believe any technical solutions on the bank's website is going to prevent any phishing sites to mimick it. People have to learn to recognize phishing sites and electronic communications phishing tactics just like they have to learn to spot fake ATM.
Frankly, I believe it's not something you can make happen. I remember a story here not long ago about honeypots in China and businessmen getting full briefing and warnings by the MI5 before leaving the UK and some would still leave their computers and smartphones powered on near the bed. I think it's the same with some users: they just don't learn and never will (I have another theory that states they don't want to learn anything about computers and that it should magically read their minds but I always end up cursing when I try to explain it and besides it's not the point :).
What I never understood is why an attacker couldn't just mirror the user's actions to the real site and scrape the confidence image or word from there to show on the phishing site. What am I missing?
I use (unfortunately) Bank of America online banking and if I don't see the SiteKey or really if there is any error at all during the signon process then I leave and immediately start Googling for Bank of America security breeches in the news. If I don't find anything, then I try to login again the next day.
The whole SiteKey/tiger image solution only gives you an illusion of the solution. What happens when the system displays "System error, unable to display the image?" How will a convincingly-written error message prevent your average gullible or below-average competence computer user from logging in to a phishing site?
Think of how many things can go wrong on a computer. Think of every time when someone asked you why something works one way in this situation, but another way in another situation, and you had to use a technical explanation (excuse, really) for that inconsistency. Computing is full of that. Until we get to a place where people can actually TRUST and expect consistent behavior in their computing devices, the SiteKey/tiger will be well circumventable.
As far as I'm concerned, SiteKey is a brilliant business idea for selling to satisfy the regulatory two-factor requirement, but a terrible idea in practice.