Phishers Using Keystroke Loggers 388
Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "
Re:Challenge (Score:4, Informative)
Also most of these graphical challenges are still a limited number of preset images that are simply cycled around so its easy to detect which is which by file hashes and things like that. Not many sites generate their own live graphical challenge images.
Informative Link (Score:4, Informative)
In the interest of stimulating more informed discussion, the results of the Anti-Phishing Working Group survey can be found here [earthlink.net].
Pharmers (Score:3, Informative)
Re:Scramble your keys (Score:5, Informative)
Re:From a quick scan of TFA (Score:4, Informative)
Not for quite some time now. The Outlook 2003 default Inbox view is no preview pane, and the default condition for images is off, unless you right click to display.
Re:Talented (Score:4, Informative)
Re:From a quick scan of TFA (Score:3, Informative)
Re:Can't exactly do that on a public terminal.. (Score:3, Informative)
Re:Challenge (Score:5, Informative)
I work for a large European bank (I work in the US, however) in IT security - specifically with authentication systems. On the surface that seems like a decent idea - but it's flawed. Let's say you present 8 images of birthdates (1 real - the rest bogus info) randomly placed each time. Someone trying to break in (who has the username/password) now has only a 1 in 8 chance of brute-forcing the second challenge. Also, if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented. If you present more images to muddy the waters, you make it more difficult and annoying for the customer (hell 8 images might do that).
If the account has a lock-out policy, it may take a couple days for the attacker to get in this way (because he keeps locking it and you keep unlocking it), but so what? I'd be willing to spend a couple minutes a day over a week to get potential access to a couple thousand dollars. Plus if you get suspicious about the fact your account keeps locking and change the password, it doesn't matter - he has a keylogger remember?
Really, the only real way (other than having a pristine and secure home system) to avoid this is to have the banking/financial sites use two factor authentication. Either a OTP token, a challenge response token or a USB Smart Card with a bank issued x.509v3 certificate on it. Europe uses these methods (at least our European customers do). The only reason the USA banks don't is becuase of the "convienience" factor the customers expect. They'd leave the bank in droves if you "complicated" personal banking (we already use two-factor for wholesale/corporate banking)
Re:From a quick scan of TFA (Score:3, Informative)
Still far more than free, but not $500.
Re:Puh-leeze! (Score:2, Informative)
There are a number of well-known trojans/mallicous code that have integated code to circumvent host-based antivirus programs and firewalls. Some of them disable the firewalls. Some of them replace well known services like crss.exe that the firewall likely has a rule preconfigured for to allow it to alow connections on.
Others may initiate connections via other programs like Internet Explorer, which you have likely configured your firewall to allow outbound connections on anyway.
But honestly, if you are running one of the handful of common firewalls, and you run some arbitrary program as adminitraror, if it wants to be really stealthy and polite about it, it can just add a rule to your firewall software to always allow all outbound connections from it.
Don't get me wrong, it's not that I don't think that host based firewalls are not important. It's just that I don't think that they can not be circumvented.
Re:Scramble your keys (Score:2, Informative)
Of course, if I don't remember my stats at all, feel free to correct me. It's been a few years, and I hated that stuff anyway.
Re:Challenge (Score:3, Informative)
But there were two parts (Score:3, Informative)
You have a transaction card, the computer asks for transaction number X, you lookup X to get Y and enter Y using the keypad.
So even if the phisher captures the screen it will be different on the next transaction.