Ok so we can all play games at estimating the mental capacity and processes of non-experts in security. But my suspicion is that someone savvy enough to spot auto-complete failing to complete is savvy enough to take phishing with a pinch of salt. This would tend to unwind the economic analysis based on autocomplete reducing fraud.

I think what is economically more significant is that autocomplete should make life easier, thus encourage greater uptake = more profit for banks. Maybe the twist is this: autocomplete encourages naive users to forget their passwords and become dependent on it. This reduces their mobility… they end up only using the one machine to internet bank. Therefore they get less value out of the service and don’t use it so much, therefore the bank still has to pay for the human teller that they visit when they nip out to the bank at lunch to make a manual transfer. just a thought.

Without disagreeing with Steven’s analysis, I am uncomfortable that the bank (or more precisely, staff within the bank) has access to my password. I would prefer a mechanism such as use of a client-side SSL certificate to authenticate me to the bank. Even if I allow my workstation to cache the password used to unlock my certificate the bank never learns that password.

Unfortunately, I realise that these are harder to explain to users, especially those who use several different computers to access their bank accounts.

No, as Markus says, the two text fields on the Barclays online banking front page don’t have the autocomplete=”off” attribute; nor does the password form on the next page.

You are quite correct about autocomplete being enabled, but the checkbox Markus describes doesn’t seem to have any effect on this. I don’t have a Barclays account, so I can’t check, but I suspect the two systems are orthogonal.

Attempting to log on with invalid details and selecting the checkbox doesn’t make any difference. I expect that after logging in with valid details, a cookie will be set recording your account number for next time. Can anyone confirm this?

My Bank asks for a Social Security number and PIN to authenticate to online banking (yes I know not very good attributes to use). Well the last time I logged on they introduced a new scheme that has the user select a picture from a list of at least 100. Many on these were pictures or rather strange objects. After the user does this they assign a string to the picture, presumable a word that the users can relate to the picture. Subsequently after the user identifies themselves, but before they enter the PIN, the picture and string are displayed.

I assume one of the intended reasons for this is to help thwart phishing attacks…

Items (1) and (2) are autocompleted if you chose so. Whether you want autocompletion for your membership number or not is stored in a cookie.

I suspect that this is not autocompletion (where the information is held by the browser), but that the information is held in a cookie, or on the server linked to a cookie. I think the end result is the same though.

The cookie should be linked to the bank domain name, so the phishing site cannot get access to it. The phisher can thus not fill out the form with what the user expects.