Phishers Using Keystroke Loggers 388
Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "
Challenge (Score:5, Interesting)
When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.
I guess this is similar to the additional 3/4 digits at the back of a credit card.
Scramble your keys (Score:4, Interesting)
Old exploit, new name (Score:2, Interesting)
Phishers are virus writers with a financial motive, nothing more. In fact, most virus writers these days are financially motivated (like setting up zombie networks for extortion attempts). Why differentiate? Just call them criminals.
Re:Scramble your keys (Score:2, Interesting)
ahh, my asplode....
Clicking the other side of what? My experience with key loggers is that they are inescapable. If you touch the key and send the signal the character is recorded. No need to hit "enter" either for it to get recorded. They are the most nefarious thing I've seen, yet, in spying on a user's computer activities....
Re:From a quick scan of TFA (Score:2, Interesting)
I think shipping a product that, taken out of the box and connected to the internet as is, stops working in very short order is negligent. If I bought a toaster I think I should be reasonable able to make toast with it for at least a few weeks before it spontaneously combusted without buying any toaster protection devices or having to read tomes of information about toaster security theory.
Secure keyboards (Score:5, Interesting)
Re:Challenge (Score:3, Interesting)
Re:Scramble your keys (Score:2, Interesting)
firstdirect has a nice stopgap (Score:4, Interesting)
if my password is "spaghetti bolognese", it might request three letters out of that, say "pgg". It's still vulnerable to man-in-the-middle but keylogging alone is of limited use.
Which makes me wonder why they don't just do man in the middle trojans which trigger off against known online banking domains...
Re:Scramble your keys (Score:4, Interesting)
He means like this:
1) type in 'word'
2) move the pointer (caret) to the left 'w'.
3) Finish typing 'pass' - you now have 'password' but the keylogger recorded 'wordpass'
Technically right but could be a pairing (Score:4, Interesting)
I don't know if they do that though, it just seems like something they would do...
Rapidly becoming? (Score:4, Interesting)
Re:Challenge (Score:2, Interesting)
Two-Factor Authentication & Smart Tokens (Score:2, Interesting)
Also, I (finally!) saw a commercial here in the States the other day for a bank that was advertising some sort of smart token for use with online banking. About time, I say.
SMS authentication (Score:3, Interesting)
Re:Avoiding hardware key loggers: (Score:2, Interesting)
Re:That's what I've heard (Score:3, Interesting)
Re:Challenge (Score:3, Interesting)
if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented.
Why is that? You could have a none of the above option.
Re:That's what I've heard (Score:2, Interesting)
This was 5 years ago. It was trivially easy to work out the good stuff and all obfuscation tricks mentioned so far in this thread would be rendered useless.
Keylogging was for a rogue accountant who we were about to fire for some dodgy practices but who was keeping all passwords too close (one reason for the fire).
Jason.
Re:Challenge (Score:4, Interesting)
When I asked them about this through their web support, they said that the money in the bank is insured so I shouldn't worry about it.
What crap reasoning. It's hard to picture a bank with such a lazy system taking any extra steps to help their customers stay safe and secure.
Virtual Keyboard. (Score:1, Interesting)
I'm sure it wouldn't matter if the keylogger picked up data from forms, though.
Probably will pick up the keys from a virtual keyboard, too, though.
SabadellAtlantico already do this (Score:5, Interesting)
You enter a pin number to confirm. It says 'enter number 37 from your magic numbers card'.
You enter it by clicking on a keypad. The location of the numbers on the keys change randomly each time. (I think they are images, but I've only seen it used so I'm not sure)
So even if they record it with a keylogger, they are not sure what the pin number is and anyway next time it will be a different pin number.
Re:Challenge (Score:2, Interesting)
Keyboard handlers (Score:3, Interesting)
To avoid keystroke loggers, is it possible for Firefox to contain its own keyboard handler? I don't know if this is possible in windows or not, I remember doing this back in ms-dos days. Just directly override the interrupt and read from the port.
So, what would be cool, is if firefox had a "secure keyboard" toggle, which when turned on, disables the OS's keyboard handler and turns on its own. Is this feasible?
Re:Challenge (Score:4, Interesting)
Re:Use password that looks like mouse data (Score:2, Interesting)
Why would they need to know? What would happen if they just replayed the data they just captured exactly as it was captured? Wouldn't they just make the same gesture you've just accepted as being secure?
Re:Talented (Score:2, Interesting)
Say what? I'll give you a real life example of a small time dealer in the neighbourhood.
The drug? Xtc. The volume? About 1000 pills a night (easily sold, one or two discos). The price paid? 1 euro per pill. The price sold? 10 euros per pill. Net profit for ONE NIGHT WORK: 9000 euros. Show me a McDonalds where I can start please!
I'll give you the benefit that I'm not factoring in jail time...
Re:Challenge (Score:3, Interesting)
To defeat a frequency analysis, yes. But then we're back to the 1 in 8 (to use my original example) chance of a correct guess. Or just an 8 iteration process of elimination. You fix one problem, and another weakness creeps in. The "none-of-the-above" response is kind of intriguing, but the frequencies would need to be serioulsy tweaked. When all is said and done it's still a hack (not that that's a bad thing - except you don't hack together a secure authentication system). This is kind of like 1.5 factor authentication - what-you-know with what-you-know. Where as true 2 factor is usually what-you-know with what-you-have.
My job is primarily authentication systems (that and cryptographic systems). We have looked at every possible way to tighten security using 1-factor, and nothing really works to improve on password/passphrase. No real defense at all against keylogging.
There was another comment in this thread about using a password safe. I personally use Password Safe - it's portable between Win and Linux (using MyPasswordSafe). It seems like a good idea also, but here's the problem: The keylogger. You need to type a password in to open the safe. Now if I'm an attacker and I see my log reading a username - [ctrlV] (or if it's a real sophisticated one username-[mouse event])then I know my target is using a password safe. Espically if I see what can only be a password in the logger before these events. Most of them use a standardized safe name or extension. Since I know I can at this point gain access to the machine, I send a small seek-and-send virus to get the password safe (for instance, in the case of Password Safe - I grab all the *.dat files I come across). Now I have the safe, the safe master password, and all the usernames and password and notes in it.
Again, 2-facter seems to be the only solution. I like the Digital ID the best from a usability standpoint. It's completely transparent to the end-user. They just need to make sure it's plugged in the USB port. It's as portable as a token and you can only read it with a special driver or kernel module. There's alot more to it than that, but I would be extremely surprised if it was vulnerable to the same attack vector as installing keyloggers (something to start looking at - you guys got the juices flowing).
Ingdirect.com.au (Score:2, Interesting)
Never use the whole password (Score:2, Interesting)