Phishers Using Keystroke Loggers

Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "

Challenge

[fembots]

Will this work against keyloggers?

When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.

I guess this is similar to the additional 3/4 digits at the back of a credit card.

Scramble your keys

[qewl]

If you're on a PC that you suspect may contain logging equipment or trojans or anything similar, you can alawys avoid accurate keystroke logging by typing part of a password per se, and the then clicking the other side(s) to type in the rest. That way typing is scrambled. Loggers can usually record the arrow keys, but not mouse clicks.

Old exploit, new name

[Jailbrekr]

keylogging has been around for some time, in fact I'm sure many posters here have writen their own rudimentary keyloggers at highschool just for shits and giggles. I fail to see why this is news worthy. Pretty soon they'll be talking about how these "phishers" are exploiting javascript vulnerabilities. Oh wait.....

Phishers are virus writers with a financial motive, nothing more. In fact, most virus writers these days are financially motivated (like setting up zombie networks for extortion attempts). Why differentiate? Just call them criminals.

Re:Scramble your keys

[Himring]

If you're on a PC that you suspect may contain logging equipment or trojans or anything similar, you can alawys avoid accurate keystroke logging by typing part of a password per se, and the then clicking the other side(s) to type in the rest. That way typing is scrambled. Loggers can usually record the arrow keys, but not mouse clicks.

ahh, my asplode....

Clicking the other side of what? My experience with key loggers is that they are inescapable. If you touch the key and send the signal the character is recorded. No need to hit "enter" either for it to get recorded. They are the most nefarious thing I've seen, yet, in spying on a user's computer activities....

Re:From a quick scan of TFA

[psbrogna]

Shouldn't there be some level of accountability for the company though (ala guns, cigs, alcohol, etc)? Don't get me wrong, I'm not a huge fan of bigGov and legislation creeping into everything but IMHO its unrealistic to expect average users to be reponsible for their own security.

I think shipping a product that, taken out of the box and connected to the internet as is, stops working in very short order is negligent. If I bought a toaster I think I should be reasonable able to make toast with it for at least a few weeks before it spontaneously combusted without buying any toaster protection devices or having to read tomes of information about toaster security theory.

Secure keyboards

[ndogg]

I think it's time we started seeing encrypted keyboards, particularly if they're coupled with flash drives. With USB so abundant, finding a place to plug in shouldn't be too much of a hassle. The keyboard could contain the private key, and the flash drive would contain the public key, and the decryption would take place on the application level (e.g. PuTTy).

Re:Challenge

[nkh]

Logging the movement of the mouse may be too difficult to implement. In the end it's always HTTP requests sent to the server. What I would do is write a server that the key logger could connect to, the key logger would send the URL of the site being visited and the server would answer with the proper protocol to follow. The server would have a database of all the banking web sites and if a web site is missing in the DB, the phisher would add it manually to the DB. The captcha could be cracked on the local machine or it could be cracked on a porn site (as it's already been done in the past: read this captcha and get your pics!)

Re:Scramble your keys

[Anonymous Coward]

Maybe it's time for keyboards to wrap their keystrokes in a secure layer like ssh. Seems basic enough to have a generic secure input usb device like there are generic usb input devices now. Would that work? Would the kernel need to provide password hashes to programs instead of plain text passwords? This might be a way to thwart the FBI keystroke loggers. But we would need a way to verify our kernel every time we ran. Some sort of trusted computing . . . .

firstdirect has a nice stopgap

[Second_Derivative]

They're a UK bank that works soley over the telephone and, lately, over the internet (they're partnered with HSBC for brick-and-mortar operations such as paying in cheques). Over the phone they ask you for random letters out of your password, and they've taken the same approach with online passwords, eg:

if my password is "spaghetti bolognese", it might request three letters out of that, say "pgg". It's still vulnerable to man-in-the-middle but keylogging alone is of limited use.

Which makes me wonder why they don't just do man in the middle trojans which trigger off against known online banking domains...

Re:Scramble your keys

[zulux]

Clicking the other side of what?

He means like this:

1) type in 'word'
2) move the pointer (caret) to the left 'w'.
3) Finish typing 'pass' - you now have 'password' but the keylogger recorded 'wordpass'

Technically right but could be a pairing

[SuperKendall]

Although you have a really good point abou this being mining, they could also be installing the loggers and then right away taking the user to the real bank page to have them log in - so it would still be more fishing than mining as they would know they data was going to be there right away. Then they might even abandon the logger after that.

I don't know if they do that though, it just seems like something they would do...

Rapidly becoming?

[Servo]

Back in the day when phishing on AOL was completely "normal", keystroke loggers were the #1 way to go. Everybody and their brother was using it. That was 10 years ago... why do people think this is new?

Re:Challenge

[JadeNB]

then surely it won't pose any additional problem for him to choose the correct graphical option

Not if the choices and locations of those choices are randomly changed every time you attempt to log in.

Right, but the point is, if you can choose the correct option using your personal information, so can the phisher -- because he now has the personal information. He isn't limited to imitating your choice.

Two-Factor Authentication & Smart Tokens

[Dragee]

When I visited Holland (last summer), my friend had a little pocket calculator-looking thing that she put her ATM/Debit card in, entered her pin, and got her one-time-use password for her banking site. The recipient of the keylogger data isn't likely to be able to use this before she finishes that session, so who cares? It would be a pain to hang onto that calculator thingy all the time for me, but for the security involved, I'd be happy to do it. (She said this is common banking technology over there.)

Also, I (finally!) saw a commercial here in the States the other day for a bank that was advertising some sort of smart token for use with online banking. About time, I say.

SMS authentication

[Anonymous Coward]

The National Australia Bank uses SMS for 2ndary authentication. When payment or transfer is made the bank issues a once-off SMS password for that transaction to a registered/authorised phone.

Re:Avoiding hardware key loggers:

[FirstContact]

What about using a normal password then forcing a password reset after its use? As long as you don't check your email where the new password is sent to in a public place, no one can use your old password to login again. One problem, though, is that some banks require extra info on you before they allow a password reset.

Re:That's what I've heard

[RPoet]

Have you considered using one-time passwords? SSH can be set up with this. It's a hassle to carry around a list of passwords, but it's definitely safer than typing your password at any old public system.

Re:Challenge

[Fulcrum of Evil]

if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented.

Why is that? You could have a none of the above option.

Re:That's what I've heard

[jaseuk]

Keylogging software that I've used had lines similar to [COPY] [PASTE]SOMEPASTEDVALUE[/PASTE] when copy/paste functionality was used. It also logged ALT+TABS plus the title of the current window.

This was 5 years ago. It was trivially easy to work out the good stuff and all obfuscation tricks mentioned so far in this thread would be rendered useless.

Keylogging was for a rogue accountant who we were about to fire for some dodgy practices but who was keeping all passwords too close (one reason for the fire).

Jason.

Re:Challenge

[cmstremi]

There's a bigger problem my old bank (in the US - Wells Fargo) needs to fix, in my opinion. When setting your password, they only allow letters and numerals. No 'special' characters (such as $, &, * }, `, etc.) This is a retarded limitation only because of lazy programming and it hurts my ability to choose a good password.

When I asked them about this through their web support, they said that the money in the bank is insured so I shouldn't worry about it.

What crap reasoning. It's hard to picture a bank with such a lazy system taking any extra steps to help their customers stay safe and secure.

Virtual Keyboard.

[Mr. KFM]

Would using a virtual keyboard stop a keylogger?

I'm sure it wouldn't matter if the keylogger picked up data from forms, though.

Probably will pick up the keys from a virtual keyboard, too, though.

SabadellAtlantico already do this

[NigelJohnstone]

SabadellAtlantico already has a fix similar to this.

You enter a pin number to confirm. It says 'enter number 37 from your magic numbers card'.

You enter it by clicking on a keypad. The location of the numbers on the keys change randomly each time. (I think they are images, but I've only seen it used so I'm not sure)

So even if they record it with a keylogger, they are not sure what the pin number is and anyway next time it will be a different pin number.

Re:Challenge

[Stankatz]

Wow, I wish my bank were that secure. To access the accounts of their members online, all you have to know is their bank account number (found on any check) and their password. But the password is initially set to the super-secret social security number (still found on many driver liscences.) If you were a cashier in this town, and someone paid with a check from that bank, you could just ask to see their liscence and copy down the SSN. Then, if they haven't logged in and changed their password yet (which I imagine most haven't), you can transfer all their accounts to your own. Of course, getting away with it is the hard part.

Keyboard handlers

[clockwise_music]

Here's a question for you;

To avoid keystroke loggers, is it possible for Firefox to contain its own keyboard handler? I don't know if this is possible in windows or not, I remember doing this back in ms-dos days. Just directly override the interrupt and read from the port.

So, what would be cool, is if firefox had a "secure keyboard" toggle, which when turned on, disables the OS's keyboard handler and turns on its own. Is this feasible?

Re:Challenge

[biglig2]

My online bank does exactly this; you have to enter a PIN using the mouse. Fiddly, but worthwhile I think...

Re:Use password that looks like mouse data

[daikokatana]

Something like mouse gestures where you have to make a complicted gesture using the mouse to get in. Sure they could still capture the data, but how would they know you were entering anything as opposed to simply waving the mouse around?

Why would they need to know? What would happen if they just replayed the data they just captured exactly as it was captured? Wouldn't they just make the same gesture you've just accepted as being secure?

Re:Talented

[daikokatana]

Doubt it. You have to be pretty high up to be making that kind of money.

Say what? I'll give you a real life example of a small time dealer in the neighbourhood.

The drug? Xtc. The volume? About 1000 pills a night (easily sold, one or two discos). The price paid? 1 euro per pill. The price sold? 10 euros per pill. Net profit for ONE NIGHT WORK: 9000 euros. Show me a McDonalds where I can start please!

I'll give you the benefit that I'm not factoring in jail time...

Re:Challenge

[flosofl]

Instead it would be better to have the same wrong answers always appear with the right answer.

To defeat a frequency analysis, yes. But then we're back to the 1 in 8 (to use my original example) chance of a correct guess. Or just an 8 iteration process of elimination. You fix one problem, and another weakness creeps in. The "none-of-the-above" response is kind of intriguing, but the frequencies would need to be serioulsy tweaked. When all is said and done it's still a hack (not that that's a bad thing - except you don't hack together a secure authentication system). This is kind of like 1.5 factor authentication - what-you-know with what-you-know. Where as true 2 factor is usually what-you-know with what-you-have.

My job is primarily authentication systems (that and cryptographic systems). We have looked at every possible way to tighten security using 1-factor, and nothing really works to improve on password/passphrase. No real defense at all against keylogging.

There was another comment in this thread about using a password safe. I personally use Password Safe - it's portable between Win and Linux (using MyPasswordSafe). It seems like a good idea also, but here's the problem: The keylogger. You need to type a password in to open the safe. Now if I'm an attacker and I see my log reading a username - [ctrlV] (or if it's a real sophisticated one username-[mouse event])then I know my target is using a password safe. Espically if I see what can only be a password in the logger before these events. Most of them use a standardized safe name or extension. Since I know I can at this point gain access to the machine, I send a small seek-and-send virus to get the password safe (for instance, in the case of Password Safe - I grab all the *.dat files I come across). Now I have the safe, the safe master password, and all the usernames and password and notes in it.

Again, 2-facter seems to be the only solution. I like the Digital ID the best from a usability standpoint. It's completely transparent to the end-user. They just need to make sure it's plugged in the USB port. It's as portable as a token and you can only read it with a special driver or kernel module. There's alot more to it than that, but I would be extremely surprised if it was vulnerable to the same attack vector as installing keyloggers (something to start looking at - you guys got the juices flowing).

Ingdirect.com.au

[extrandall]

I have an account with INGDIRECT - 5.45% PA (http://www.ingdirect.com.au/ [ingdirect.com.au] When loging onto the ING Direct website, it asks you to type in your account number, and then it asks you to enter your PIN numbr by clicking on a Randomly generated keypad. So, even if someone was running a program that logs mouse co-ordinates as well as keyboard butons, they still wouldn't be able to log into my account because of the randomly generated layout of the number pad. Now, if the program also took screen shots... that's another story! :o)

Never use the whole password

[Sindri]

My banks [natwest.com] online banking login never asks for the full password, but for something like the 3rd, 5th and 7th character from the password and 3 out of 4 digits from a pin number (not in order).