A few sites are now using 'security pictures' as way to fight phishing. The idea is that a picture is shown on a login page and if it doesn't appear, then the user knows that the site is not legitimate (this assumes of course that the picture can't be scraped by a MITM attacker).

However, a new study has shown that 92% of the people surveyed entered their passwords even when the security picture was not shown.

We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 23 of the 25 (92%) participants who used their own accounts entered their passwords.

Although this is a small sample, I think it confirms a widely held belief among security experts that security measures that rely on correct user behaviour for security are not effective.

The idea is great in principle, but it requires a knowledgeable user to understand how it works and also be able to respond to attacks against it. It might even work a lot of the time when the image is simply missing, but what if the attacker puts a message saying "our security picture system is currently being upgraded, your security picture may have changed" on the page. Most users will accept this and be fooled. Security systems need to be idiot-proof.