My new project: Tact, a simple chat app.

Anti-robot label in Internet bank

December 09, 2005

I just realized this morning how my Internet bank uses an extra anti-robot technique in their net bank to prevent automated logins. During an overload, I could see how the page contents was already retrieved but it kept downloading an image which indicated which code from my password card I should enter. The empty spot is indicated with the ugly red circle.

Here’s how it looks in its final form after download. Notice there’s no visual distinction between graphics and text, but it’s a good technology (with the image name in source being obfuscated and I assume random-generated at runtime, not hardcoded) for stopping people from writing “screenscraping login robots” which automatically log on to the bank as user and do something on behalf of the user. If all the artefacts on the page were predictable and hardcoded, it would be pretty easy and could open the door for viruses and stuff which, once they have managed to phish your password, do nasty stuff in your bank.