Defeating Virtual Keyboards and Phishing Banks

An anonymous reader writes "Noam Rathaus writes on the SecuriTeam Blogs how most Image Click-Me virtual keyboards schemes used by banks to fight phishing trojan horses can be easily broken, even (and especially) when encryption is used. He then discusses how screenshots of the pointer location are over-kill, and describes how to kick these security measures out of the way." From the article: "Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered"

dumb

[Lehk228 (705449)]

the whole idea is dum, you are trying to make a compromised host somehow "Safe" by obscuring what is going on. if they wanted to be really safe they would use a trusted device and allow the computer to simply be one more untrust part of the cloud between that device and the bank. a USB "smart card" could do the trick just fine. for added security have a pin pad on the smart card itself.

Re:dumb

[arivanov (12034)]

Ahem. Exactly.

Client side x509 certificates (if possible on smartcards or tokens) will solve 99% of phising problems once and for all. For most "secure" sites, the clients authenticate the server (which can often be circumvented by using DNS tricks). At the same time there is no SSL level client authentication. As a result stolen credentials can be reused on another system. A smartcard holding the x509 cert prevents this outright.

Unfortunately instead of using what is right there in front of them in the actual protocol spec the banks go into all kinds of technological roccocco. Not surprising actually. I tried to explain the concept of client side certificate to one of my collegues who had in the past implemented the internet banking system (and its security) for one well known UK bank and is now to implement another one. No matter how hard I tried, he could not grasp the concept.

Re:dumb

[swillden (191260)]

I've been in the business of designing, implementing and selling smart card-based security solutions for nearly a decade now, and I've talked to lots of banks about these issues. Most of them understand perfectly well that smart cards with client-side digital certificates are an excellent (though not perfect, see below) solution from a security standpoint. The reasons they aren't gung ho about deploying such a solution are (1) cost and (2) consumer acceptance.

Smart cards themselves aren't expensive, and neither are smart card readers. The cost of retooling the card issuance process to support smart cards, however, is non-trivial, and the cost of deploying card readers to consumers and supporting them through the installation and usage process is very large. The biggest problem, though, is cardholder training. How do you teach millions of people how to use the thing, even if it's already set up on their machine? Simple problems like how to insert the card into the reader are surprisingly hard to address on a large scale.

The UK, and a few other countries, are much more prepared for this than the US thanks to the Chip & PIN initiative that their banks have spent tens of millions on. At least UK citizens know to put the card in chip-end first, with the chip up.

In any case, though, it's the cost and difficulty of getting consumers to deploy additional hardware on their computers that holds banks back from doing it, not lack of understanding. All of their weird security solutions are attempts to perform semi-secure transactions on the PC hardware that the cardholders already have, with no new software or hardware to install or maintain. Note that the costs and difficulties I'm talking about aren't theoretical. Various banks in different parts of the world have run pilots using these technologies, and they've invariably fallen flat. IMO that's because the pilots were poorly run, but having seen the failures, banks are very leery of trying anything else.

The new buzzword that's sweeping the financial industry these days is Near-Field Communications (NFC). NFC is basically a contactless smart card chip embedded in your cellphone. The chip can securely store and use keys, and the interface with the phone provides it with a display, keypad and Internet connection so the chip can phone home to the issuing bank as needed (for velocity checking, balance checking, etc.). Assuming the phone can be protected from viruses, trojans, etc., and can be considered a relatively secure device, this has all sorts of advantages. It can be used in a retail environment with a contactless smart card reader, using the phone's display and keypad to give the user a chance to verify the transaction details (the amount, mainly) on a device the user trusts. For on-line usage, you can connect the phone to the PC via USB, or via a contactless smart card reader for secure and easy transaction, but it's more likely that you'd use the phone's data link for the financial transaction. Imagine going to amazon, picking out your goods, hitting the "buy now" button and then waiting a few seconds for a message to arrive to your phone, requesting payment authorization. You'd review the transaction details on your phone screen, authorize payment with the keypad, and the smart card chip would then create a cryptographically-secure payment authorization message and deliver it to either the bank or the merchant (depending on how the system was structured).

What's actually going to happen? After failing repeatedly over the years in my prognostications, I won't even guess. I will say, though, that banks are big fans of "good enough", and that their definition of "good enough" doesn't require that fraud be impossible, only that it be sufficiently limited that it's affordable.

Re:dumb

[theCoder (23772)]

If you use a smartcard, the crypto happens on the card itself. The private key never leaves the card. Simply speaking, a request is made to the card to sign something, and it gives back the signature. This means that no one listening on the computer can duplicate the authentication (assuming there is nothing else wrong with the protocol, such as replay attacks, any sort of man in the middle, etc).

In essence, the smartcard idea is assuming that your machine could be compromised, and is moving the authentication to another machine (the smartcard) which is much harder to compromise.

Re:

[arivanov (12034)]

Yes it does, provided that the system is correctly designed and implemented. In fact it is nearly bulletproof against a MIM.

The MIM will need to have both a valid server certificate to authenticate to the client a valid client certificate to authenticate to the server. If the server correlates certificates with another credentials like a username and password (2+ factor authentication) it can immediately detect that a stolen identity is being used with the wrong smartcard.

Re:

[ArsenneLupin (766289)]

for added security have a pin pad on the smart card itself.

Actually, that's not added security, but essential security. If the PIN was entered on the computer, and then sent to the smartcard for encryption, then a Trojan could still get it on that first leg of communication, before it was encrypted.

For real security, not only would the PIN need to be entered on the card itself, but essential transaction data (amount, target account) would need to be displayed by the card as well (using a pocket-calculator like LCD display, for instance). Indeed, without such displa

Re:

[jrumney (197329)]

Actually, that's not added security, but essential security. If the PIN was entered on the computer, and then sent to the smartcard for encryption, then a Trojan could still get it on that first leg of communication, before it was encrypted.

The way these things usually work, the PIN entered at the keyboard is not the PIN for the bank, but the PIN to decrypt the certificate on the smartcard. So knowing the PIN is only useful to the identity theives if it can get physical access to your smartcard.

Re:

[ArsenneLupin (766289)]

The way these things usually work, the PIN entered at the keyboard is not the PIN for the bank, but the PIN to decrypt the certificate on the smartcard. So knowing the PIN is only useful to the identity theives if it can get physical access to your smartcard.

Correct. However, once the Trojan Program has the Pin, it will be able to reuse that to submit fake transactions if the user is careless enough to leave the card in the reader...

Re:

[Kjella (173770)]

If you have a secure device, you need secure confirmation. Personally I would prefer being able to use my cell phone. It has a trusted screen and a trusted keypad. Phone trojans are extremely rare, so let me punch in a transaction on the online bank, use IR or Bluetooth or WiFi or USB cable or even a damn SMS and let me click Yes or No (or even another PIN) on the cell phone. That should stop any phishing attempt, though I doubt my machine would get infected in the first place.

Re:

[mochan_s (536939)]

Phone trojans are extremely rare

Doesn't mean they always will be.

Re:

[swillden (191260)]

But basically you are correct, if the cell is encoding everything correctly the connection could be trusted, the only problem is that cell networks are known for hiding behind obscurity for security, witch is not very safe after all.

Doesn't matter. You wouldn't rely on the cell networks for any of the security, you'd just use the network as a transport. The Internet is also completely insecure, but we easily create secure communications channels over it. The security of the network is irrelevant. It's the security of the endpoints that matter.

Re:

[iamdrscience (541136)]

The banks don't do this because those Secure Cards cost $$$$$$ and that will hurt the banks bottom line.

Some banks do it. ETrade, for example, will give you an RSA SecurID keyfob [rsasecurity.com] for free if you have over a certain amount of money in your account with them (like $50k I think, maybe it was 25). If you don't have enough money to get one for free, you can still get one from them for, I think, $25.

Re:

[aussie_a (778472)]

Why not simply allow customers to choose whether or not they go with a bank that uses them? Given that there does exist such banks, its simply up to the user how much securing their bank account is to them. They can choose a cheaper, but less secure bank or a more expensive, but more secure bank. Why make the government force people to do it? Wouldn't that be like forcing people to have a password on their computer?

What if you obscure the pattern?

[crossmr (957846)]

Its a bit overkill, but I'm wondering if it could be broken short of a screen cap?
What if the user was presented with a randomized "number pad" image and the user was asked to input their pin on their number pad but using the layout presented on the screen. The packet might contain: 6689 as the pin, but in reality it would be translated on the server side to 3327 using the image they were served at the time of page creation. Its unsophisticated, but I'm sure someone here could turn it into a beautiful inte

Re:

[iamdrscience (541136)]

I use ING direct and they do something sort of like that, they have a picture of a numeric pin-pad that comes up and each key has a (random) letter on it. You enter your pin by typing the letter associated with each number. Unfortunately, you can also enter your pin by clicking the numbers (well, unfortunate for security, but fortunate for user convenience).

Re:

[crossmr (957846)]

Its better. Do you know if they actually decode it server side? Because that would be one of the keys. If they could create it so that the snooper had absolutely no access to the correct key or the method by which to decrypt it, thats about as secure as you can make it. Using a random pattern like that would ensure they couldn't create an algorithm or anything like that to figure it out. Clicking would have to be disabled as much of a pain as that is.

Re:

[fatcop (976413)]

I use ING Direct and noticed that recently. Its pretty much exactly as the first parent described. Though I don't see anything about keyboard typing being allowed. Its pure mouse clicks only for me.

This is what I gather from using it and glancing at the page info and scripts:

The keypad numbers (are images) and are randomised (threw me first time, but no probs since) every login session.

Every time you login each number corresponds to a different image URL on the server. The URL's format is like http:// [mybank.ohyeah]

Re:

[iamdrscience (541136)]

I don't see anything about keyboard typing being allowed. Its pure mouse clicks only for me.

You can type it in if you want, the instructions next to the pinpad specify it:

"Use your mouse to click the numbers on the keypad that correspond to your Login PIN.
OR
Use your keyboard to type the letters from the keypad that correspond to your Login PIN."

Re:

[iamdrscience (541136)]

It looks the same in both Opera and Firefox to me, so that's not the issue. It must be that the US and Australian sites are different although that seems a bit weird.

Anyway, here's a picture of what the virtual pinpad looks like on the US site: http://itsbeenconfirmed.com/uploaded/ingkeypad.jpg [itsbeenconfirmed.com]

Re:What if you obscure the pattern?

[uhlume (597871)]

Grid Data Security's GridOne uses a very similar approach: they present an on-screen alphanumeric entry grid, with each character surrounded by four randomly-generated numbers, one in each corner of the cell. Users enter their password by typing the corresponding number for each character of the password, from a pre-selected corner of the cell (upper left, lower right, etc). Since the numbers are randomly generated with each display of the entry grid, and any numeral may appear in multiple places on a given random grid, this effectively defeats both keyloggers and screengrabbers: even if you can see both the entry grid and the entered keystrokes, deriving the user's password from that information is non-trivial.

http://griddatasecurity.com/Approach.htm [griddatasecurity.com]

(Of course, this isn't much use against the hypothetical of a carefully-engineered realtime man-in-the-middle attack, but I suspect very little would be.)

very clever

[grahamsz (150076)]

That's a remarkably elegant system which (depending on how you establish the password) pretty much defeats any kind of screen scraping technology.

It seems even better than the banks that mail out one-time password cards.

If we could convince a bank to actually send out cds with their certificates and a certificate for each user then it'd be almost infallable.

Until of course the phisher sets up a page that says "For verification purposes we'll now ask you to type your password once a month..."

sigh

Re:

[nacturation (646836)]

That's a remarkably elegant system which (depending on how you establish the password) pretty much defeats any kind of screen scraping technology.

Unfortunately it doesn't defeat brute force attempts but rather helps them. In their example, the password is "Grid1" which if we assume the available characters are 0-9, A-Z, and a-z results in a possible 62^5 possible permutations. Replacing the characters with numbers results in the password having only the characters 0-9 which results in a possible 10^5 permutations -- almost 10,000 times weaker. I suppose that's yet another demonstration that security boils down to a series of trade-offs.

Re:

[nacturation (646836)]

Since the numbers are randomly generated with each display of the entry grid, and any numeral may appear in multiple places on a given random grid, this effectively defeats both keyloggers and screengrabbers: even if you can see both the entry grid and the entered keystrokes, deriving the user's password from that information is non-trivial.

Unless you observe multiple logins, in which case matching up which numbers correspond to which letters becomes nothing more than a game of MasterMind. [wikipedia.org]

Re:

[uhlume (597871)]

Really? Care to explain how that works when the corresponding numbers change with each login?

Secure banking? Yeah right.

[thedarknite (1031380)]

For institutions that are responsible for vast quantities of peoples money, some of the security policies they implement are really quite strange. For example, the bank I use, even before they brought in the annoying virtual keyboard, had a six character alpha-numeric limit on there passwords. Very bizarre considering that you enter in your customer id which is a ten character string.

Although, on the plus side it has made me extra paranoid about all online transactions. So now any site where I am involved in a finacial transaction has different passwords and anything that gets cached is cleared out of my system as soon as I am done.

Meanwhile, back in the old west...

[werewolf1031 (869837)]

this already posses [tfd.com] a security problem

Round 'em up, boys! We gonna lynch us some bank robbers!

Yeah, and?

[iamdrscience (541136)]

So the article is saying that people with trojans on their computers are fucked? Is anyone surprised by this? The point of virtual keyboards is not to defend against trojans, it's to defend against keyloggers. They may defend against trojans that try to steal your account information with a keylogger, but I think it's safe to say that no matter what security technology your bank is using, if you've got a trojan on your computer you're going to be fucked.

Re:

[uhlume (597871)]

Most software keyloggers are trojans. What's your point?

Re:

[Beryllium Sphere(tm) (193358)]

>if you've got a trojan on your computer you're going to be fucked.

A man could live for years without being handed a straight line like that one.

Re:

[shigelojoe (590080)]

if you've got a trojan on your computer you're going to be fucked

I'll take "Things a computer has in common with a penis" for $1000, Alex.

Re:

[iamdrscience (541136)]

Hardware keyloggers.

a four digit pin??

[ampathee (682788)]

It seems to me that having a 4-digit numeric password on a bank *website* is a pretty fatal flaw in the first place! Given a relatively large botnet and enough legit account numbers (much easier to come by than passwords), let's say 3 tries per account number, how long till you find someone with '1234', '4321', or '1337' ?

Luckily, both my bank websites are protected by 8+ chr alphanumeric passwords. I would *not* stay with a bank that wanted me to use my card's PIN to log on with.

Re:

[iamdrscience (541136)]

My guess is that before you hit on an account that had a password of 1234, 4321 or 1337 somebody in the bank's IT department would realize that something's up because a a ridiculous amount of accounts are hitting their password tries limit.

Re:

[grahamsz (150076)]

But assuming a perfectly random distribution, 1 in 10,000 accounts will have the password 1337. If you have 10,000 account numbers and 10,000 different computers to try them from then you can find one pretty damn easily.

No Surprise

[daeg (828071)]

This is no surprise at all. Keyloggers will be a thing of the past soon enough for the major hackers.

More scary is the fact that adding a simple network device will allow a virus to log all Internet traffic. Look at HTTPLook (a small app used to sniff HTTP traffic). It comes with a small HTTPS module that intercepts HTTP traffic transmitted via HTTPS.

Using such a device will also help cut down on the amount of data hackers can get -- HTTP traffic is useless to them. Why do they care you went to Google and searched for "hot gay wrestlers"? They don't. HTTPS, on the other hand, will set off alarm bells -- if a server is worried enough about security that it pays for certificates, the data must be worth something, right?

The solution is that logging into secure systems needs to require a physical presence. An older system I maintained a few years ago for the Mortgage industry used a username, password, and a key from a small business card in their wallet. Each month users received a new card, and each card had about 50 numbers on it. The system knew which numbers each user had and only allowed each number to be used once. Logging in with a wrong number would flag your account, repeated attempts would lock it. Yes, it increased support load when someone lost their card (the cards were unmarked so if someone found it, the numbers are useless), but it was fairly secure and generally a lower cost alternative to biometrics (and much more portable).

This combines the "something you know" authentication scheme (username, password) and the "something you have" scheme (password card). The third type is "something you are" -- biometrics.

(Failure point: person gets kidnapped. If a user gets kidnapped, security is the least of the worries until they are recovered. Failure point: if the database with the numbers is compromised, the system is no longer secure. If the database is compromised, they no longer need to log in, and no secret numbers will stop them.)

Cut them off at the pass

[SEWilco (27983)]

posses a security problem

It depends upon your posse whether one or several of them are a problem.

Is it just me? Am I missing something?

[zappepcs (820751)]

If your pc is infected with a trojan, or other malicious software, its feasible to capture the screen with each keystroke while connecting to a bank website and forward that data to a server somewhere at a later time... key logging doesn't have to be only key logging, it could be logging keystrokes and relevant screen data at the same time.

The ONLY way to outsmart software that wants your data is to not load that software on your machine. I find that I feel much safer booting a life CD (DSL or Puppy or pick your flavor) and running to the banking website with a freshly installed OS... no chances for virii or malware etc.

That is certainly easier than actually going to the bank... and I know that its safe.

It at least makes me feel a bit safer.

Re:

[zappepcs (820751)]

Yeah, I know it is supposed to be LIVE CD. Spell checking doesn't always help...

Re:

[iamacat (583406)]

How do you know you are not booting your life CD into a virtualizer run by your hacked EFI firmware?

Liquid Crystal Display Display

[springbox (853816)]

This was an interesting article, but it got painful to read after a while. I would hope that SecuriTeam knows that PIN stands for Personal Identification Number.

Now if you'll excuse me, I have to enter my Personal Identification Number Number into the Automatic Teller Machine Machine.

My Phone is a Weapon

[Doc Ruby (173196)]

I'd rather use an ATM by touching my mobile "phone" to it to pair it with my Bluetooth (and exchange keys), then use the phone to control my session. I'd prefer my phone client to generate onetime passwords consumed by the ATM to giving anyone my PIN.

With that protocol, I'd feel safe even using those random ATMs at delis and various "impulse purchases", where today they get my PIN and can launch a replay attack any time they want.

Never develop your own crypto protocols

[Beryllium Sphere(tm) (193358)]

Unless you're an expert crypto protocol developer and you're not going to deploy it to the field until it's had several years of peer review.

That business with the timestamp? Offhand I'd say the bank was trying to do the right thing by preventing replay attacks. But using a timestamp? I'm having trouble keeping up with just the obvious attacks against that, let alone the attacks that a seasoned crypto developer would find.

If you ever need to do what the bank tried to do, find something already written and battle tested, make sure its assumptions and security properties line up with what you need(*), and use that instead of repeating the last fifty years of protocol design mistakes.

(*) Then you'll find that they assume trusted endpoints, which is something worth reflecting on.

Keyring Dongle

[bonhomme_de_neige (711691)]

HSBC in Australia and SE Asia (and, it seems, with a bit of Googling, elsewhere in the world) issue with online banking accounts a device that sits on your keyring that generates a 6 digit number when the button on it is pressed, and displays that on a small screen. The number is different every time.

When you log in or do any transaction, you are required to enter this number (along with any other credentials which are appropriate). The bank records the serial number of the dongle they gave you, and I would assume that there is some secret mathematical algorithm that allows them, knowing the serial number and the time, to calculate what number your device will display.

If you make 3 mistakes in a row with the 6 digit code, your internet banking account is automatically locked down, and you have to contact them to unlock it.

Now, that's a very simple trick and I can't see how a hacker / phisher would get around it. Sure they can sniff the code when I log in, but 30 seconds later it will be useless. Short of mugging me for the device on my keys (after having phished my regular login/password), they can't get in to my account. Even if I leave a session logged in and walk away, and someone else sits down at the terminal, they can look at my balance and transaction history, but can't make any transactions.

Having used the device for a year I have to say it is remarkably convenient, and it seems immune to most of the attacks described here, and doesn't have the convenience drawbacks of one-time PIN cards. Why is HSBC still the only bank doing this?

More info on the device: http://om.hsbc.com.au/osd/ [hsbc.com.au]

Have a split PIN system

[caluml (551744)]

Have a split PIN system - half in your head, and a random second half texted to your phone, which is valid for 5 minutes after it is texted. Voila. And the bonus? Everyone owns one of these "what you have" devices (in the UK at least).

phishing happens because the banks don't care

[thogard (43403)]

If the banks did care they would form an international alliance to track down the cash flow and put quick end to it.

Except they already have two internal alliance groups in place called MasterCard and Visa. If both of them changed their merchant agreements so that any connection to phishing or domain fraud would result in losing the merchant account, you would bet ever domain registration company and hosting company in the would be checking things a whole lot closer. Even network solutions wouldn't last m

Solutions to stop phishing & trojans etc

[jonwil (467024)]

This solution would be OS and browser independant and would not be subject to any issues such as SMS's not getting through to a cellphone.

Basicly, each customer is given a device that looks a bit like a small calculator, make it "solar" powered (in reality those panels will work just fine powered by any sufficiantly bright light source) so it never looses juce.
It would have a 0-9 keypad and other buttons. Each device would contain a unique number that is also securely stored on the banks computers.

When you want to log in, the bank generates a random number and displays it along with a form field for username/user ID/whatever, a form field for password and one for a hash. The user types in the random number into their calculator thing which is then hashed with the number stored inside it and the result displayed. The hash algorithim has to be chosen such that there is no one number that when hashed with any unknown stored number can produce either the stored number or something that you can get back the stored number from. (this prevents the hacker from feeding a chosen "random" number to the user and getting the stored number that way).

Once you do that, the displayed hash along with username and password are typed into the form. The hash is compared with the same calculation done by the banks computer and if the username, password and hash match up, you are logged in.
When you want to do a transfer to someone not on your "approved payees" list or add someone to the "approved payees" list, you have to enter the account number and/or dollar amount and/or another random number into the calculator thing which spits out another hash that has to be typed in. This prevents the phisher /trojan/whatever from changing the details of the transaction ($ amount or destination account).

Unlike some other proposals (USB smart cards, mobile phones), it is 100% OS and browser independant and requires no drivers.

Banks and third-party Javascript

[timlewis_atlanta (195776)]

And this story breaks the evening after I notice that a large bank that I shall not name, but instead refer to "Bank of America", changes their SiteKey/Login page so that it now loads Javascript from a domain other than bankofamerica.com : "liveperson.net".

I only noticed this because my "NoScript" Firefox extension started showing the "Script partially allowed" message.

Now, I'm no expert, but I do know that Javascript has a bit of a spotty history when it comes to security. Having looked into liverperson.net it appears to be legit ; but in any case, I did not allow it access.

But my question is this : why on earth do BofA think it makes sense to link off-site during the login process ? Surely this is completely nuts ?

Re:

[werewolf1031 (869837)]

I believe you're thinking of software keyloggers, in which case you're (probably) correct. However, to the best of my knowledge, a hardware-based keylogger (dongle between keyboard and port) doesn't give a rat's ass what your OS is. Then again, if someone has both physical access to your computer and motivation to spy on your online transactions, your bank's online security may be the least of your problems...

Re:

[iamdrscience (541136)]

As far as keyloggers installed by trojans, you're probably right, I've never heard of that happening with any OS besides Windows, but there certainly are keyloggers for unix and other OSes and while you probably don't have to worry about those (presuming you keep your PC secured), there are also hardware keyloggers.

Re:Virtual Keyboards are pointless

[iamdrscience (541136)]

Virtual keyboards are designed to protect against keyloggers, not phishers, and they do a pretty good job. No one technology protects all fronts of attack -- saying virtual keyboards are useless because users can still be phished is like saying that encrypting data between you and a bank is useless because it doesn't protect you from somebody looking over your shoulder.