Training users to rely on specific non-ubiquitous security context
An example of how users are being trained "bad" security habits.
See also: Action-39
On Bank of America's site they tell users "If you recognize your Site Key, you'll know for sure that you are at the valid Bank of America site."
The statement puts the user in a position to completely rely on Site Key, and more or less telling then it's ok to ignore any other security information they might be shown.
This presents two problems.
- The user only pays attention to the security indicators provided by site-key while on Bank of America's site, possibly ignoring any other security indicators.
- The user is taught to look for a security indicator that isn't necessarily found on every site.