Phishers Using Keystroke Loggers 388
Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "
Re:Challenge (Score:2, Insightful)
Comment removed (Score:2, Insightful)
That's what I've heard (Score:5, Insightful)
I find myself, when on public machines, typing extra characters in my passwords and then using the mouse to highlight them and type over them. This makes my passwords (which are already random letters/numbers) seem longer than they really are with gibberish if they are logged as keystrokes. Unfortunately, some software keyloggers can detect exactly what the input into forms are -- this does not help with that. It is also quite a hassle, but what can I say? I'm a bit paranoid (but, I believe, right so).
Keylogging is the easiest way to get people's information. The only solution I see is to ensure all public machines are much more secure from the user's end, and to actually have the machine itself inaccessible (i.e. locked in a drawer, etc.). I guess the only 'perfect' solution (if there is one) would be to use a keyboard that is projected from an inaccessible area, so that it cannot be tampered with whatsoever.
Nothing's perfect, but we can do better than we're doing in public locations!
Re:Talented (Score:3, Insightful)
Not necessarily. It could just be that phishing might just pay more than doing an honest job.
Re:Challenge (Score:5, Insightful)
Re:Talented (Score:4, Insightful)
Plus, if they have enough skill to phish efficiently and successfully, then they can probably get a job somewehere.
Summary misleading. (Score:3, Insightful)
dictionary.com entry
Main Entry: phishing
Definition: the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords [...]
You can install a keylogger to steal someone's passwords, credit card numbers, etc but calling it a trojan horse or a browser/email client exploit would be much more appropriate.
Here's an Idea... (Score:2, Insightful)
I was disappointed reading the article. I was hoping they would go into more technical details like how these programs work, and how to detect some of them. As some pointed out already, the article just merely states the obvious, people using whatever tehcniques they can to steal your information.
How about not wasting law enforcement? (Score:3, Insightful)
Easy Fix (Score:2, Insightful)
1. Don't use public access terminals for your important transactions.
2. Don't let you home computer become infected with tons of malware.
3. Go back to snailmail and telephones for those transactions... ok not a great solution but a logger can't get your bank password if your sending checks to pay your bills, reading paper statements and calling the bank for your balance.
Re:Scramble your keys (Score:5, Insightful)
Phishers or miners? (Score:5, Insightful)
Ultimately how identity information is revealed aside, is this a phishing attempt or a mining attempt?
Phishing has traditionally been initiated by a cleverly socially engineered email or some form of communication, redirecting the unsuspecting user to a counterfeit site designed to harvest that information. Like putting a worm on a hook and dropping it in the water, you hope for someone to nibble at it.
Mining on the other hand is like picking away at the ground, in this case undetected, hoping to find that cache of gold. There's no guarantee that you'll even find anything, and once keylogging software is installed on the victim's PC, there is no user interaction with it. There is no social engineering to be done.
So therefore, wouldn't keylogging really be more mining than phishing? Or should I stop wasting my time on
Re:Secure keyboards (Score:4, Insightful)
Re:Challenge (Score:4, Insightful)
Replay attacks, AFAIK require exact positioning. Trust me, I've done test automation using replay software, and window position is a right bitch to deal with... esp. when form elements move inside a page of a browser you might as well forget it.
Plus randomization of relative positioning (ie, is it the left or right one) on each page can further increase this problem for phishers.
This concept of a crypto-turing test is a great idea.
Re:Challenge (Score:3, Insightful)
Though 90% of the users just click 'accept' w/o even looking at it enough to even see the 'remember this decision for this program' option, so they obviously aren't looking at the program name.
Re:Challenge (Score:3, Insightful)
Why not give the customers the option of using a high security interface over the normal one? That way the people who dont' care about taking it up the ass can, and the people who do are covered too.
Personally, I use a password keeper. I never type my passwords...ever. They are generated in my password keeper (I use TK8 Safe) and then PASTE them wherever I need them. Keylog that bitches!
Re:Challenge (Score:3, Insightful)
Consider the current scams running through spam e-mail. The response rates from the users are miniscule, but the volumes are so large and their expenses are so low that they still stay profitable.
And you cannot make a graphical interaction with the user complex enough to make a random guess succeed in less than, say, 1/1000 of cases. Otherwise, it'll be so complex that legit users will get annoyed and go away.
Re:Can't exactly do that on a public terminal.. (Score:3, Insightful)
Re:Challenge (Score:3, Insightful)