Phishers Using Keystroke Loggers 388
Eh-Wire writes "Keystroke loggers are rapidly becoming the lure of choice for phishers. Their advantage is that they compromise information long before the information has a chance to be encrypted. "
Challenge (Score:5, Interesting)
When using online banking (or anything online really), once you have entered your login correctly, the site displays a graphical challenge derived from one of your personal details, such as address, phone, birthday etc., and you use your mouse to choose the correct one and proceed.
I guess this is similar to the additional 3/4 digits at the back of a credit card.
Re:Challenge (Score:2, Insightful)
Re:Challenge (Score:5, Insightful)
Re:Challenge (Score:3, Insightful)
Consider the current scams running through spam e-mail. The response rates from the users are miniscule, but the volumes are so large and their expenses are so low that they still stay profitable.
And you cannot make a graphical interaction with the user complex enough to make a random guess succeed in less than, say, 1/1000 of c
Re:Challenge (Score:4, Insightful)
Replay attacks, AFAIK require exact positioning. Trust me, I've done test automation using replay software, and window position is a right bitch to deal with... esp. when form elements move inside a page of a browser you might as well forget it.
Plus randomization of relative positioning (ie, is it the left or right one) on each page can further increase this problem for phishers.
This concept of a crypto-turing test is a great idea.
Re:Challenge (Score:3, Interesting)
Re:Challenge (Score:3, Insightful)
Though 90% of the users just click 'accept' w/o even looking at it enough to even see the 'remember this decision for this program' option, so they obviously aren't looking at the program name.
Re:Challenge (Score:2)
Re:Challenge (Score:4, Informative)
Also most of these graphical challenges are still a limited number of preset images that are simply cycled around so its easy to detect which is which by file hashes and things like that. Not many sites generate their own live graphical challenge images.
Use password that looks like mouse data (Score:2)
I know I know, this is security by obscurity, but maybe this idea will spark some others that would work even better.
Re:Use password that looks like mouse data (Score:2)
Re:Use password that looks like mouse data (Score:2)
Hardware (Score:2)
Graphical passwords (Score:2)
The system sends a list of images (people's faces) to the user and the user chooses one. The benefits of this are: 1) People remembeer faces better than passwords. Don't forget their password during a vacation. 2) An face is very easy to recognise, but very hard to describe. This makes it very difficult to steal or give away the password (on purpose, under duress or by mistake [including phishing]).
Re:Challenge (Score:5, Informative)
I work for a large European bank (I work in the US, however) in IT security - specifically with authentication systems. On the surface that seems like a decent idea - but it's flawed. Let's say you present 8 images of birthdates (1 real - the rest bogus info) randomly placed each time. Someone trying to break in (who has the username/password) now has only a 1 in 8 chance of brute-forcing the second challenge. Also, if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented. If you present more images to muddy the waters, you make it more difficult and annoying for the customer (hell 8 images might do that).
If the account has a lock-out policy, it may take a couple days for the attacker to get in this way (because he keeps locking it and you keep unlocking it), but so what? I'd be willing to spend a couple minutes a day over a week to get potential access to a couple thousand dollars. Plus if you get suspicious about the fact your account keeps locking and change the password, it doesn't matter - he has a keylogger remember?
Really, the only real way (other than having a pristine and secure home system) to avoid this is to have the banking/financial sites use two factor authentication. Either a OTP token, a challenge response token or a USB Smart Card with a bank issued x.509v3 certificate on it. Europe uses these methods (at least our European customers do). The only reason the USA banks don't is becuase of the "convienience" factor the customers expect. They'd leave the bank in droves if you "complicated" personal banking (we already use two-factor for wholesale/corporate banking)
Re:Challenge (Score:3, Insightful)
Why not give the customers the option of using a high security interface over the normal one? That way the people who dont' care about taking it up the ass can, and the people who do are covered too.
Personally, I use a password keeper. I never type my passwords...ever. They are genera
Re:Challenge (Score:3, Interesting)
if you randomly change the false images, you can do a frequency analysis because the right answer always has to be presented.
Why is that? You could have a none of the above option.
Re:Challenge (Score:3, Interesting)
To defeat a frequency analysis, yes. But then we're back to the 1 in 8 (to use my original example) chance of a correct guess. Or just an 8 iteration process of elimination. You fix one problem, and another weakness creeps in. The "none-of-the-above" response is kind of intriguing, but the frequencies would need to be serioulsy tweaked. When all is said and done it's still a hack (not that that's a bad th
Re:Challenge (Score:4, Interesting)
When I asked them about this through their web support, they said that the money in the bank is insured so I shouldn't worry about it.
What crap reasoning. It's hard to picture a bank with such a lazy system taking any extra steps to help their customers stay safe and secure.
Re:Challenge (Score:3, Informative)
Re:Challenge (Score:3, Insightful)
SabadellAtlantico already do this (Score:5, Interesting)
You enter a pin number to confirm. It says 'enter number 37 from your magic numbers card'.
You enter it by clicking on a keypad. The location of the numbers on the keys change randomly each time. (I think they are images, but I've only seen it used so I'm not sure)
So even if they record it with a keylogger, they are not sure what the pin number is and anyway next time it will be a different pin number.
But there were two parts (Score:3, Informative)
You have a transaction card, the computer asks for transaction number X, you lookup X to get Y and enter Y using the keypad.
So even if the phisher captures the screen it will be different on the next transaction.
Keyboard handlers (Score:3, Interesting)
To avoid keystroke loggers, is it possible for Firefox to contain its own keyboard handler? I don't know if this is possible in windows or not, I remember doing this back in ms-dos days. Just directly override the interrupt and read from the port.
So, what would be cool, is if firefox had a "secure keyboard" toggle, which when turned on, disables the OS's keyboard handler and turns on its own. Is this feasible?
Re:Challenge (Score:4, Interesting)
Re:Challenge (Score:2, Interesting)
Scramble your keys (Score:4, Interesting)
Re:Scramble your keys (Score:2, Interesting)
ahh, my asplode....
Clicking the other side of what? My experience with key loggers is that they are inescapable. If you touch the key and send the signal the character
Re:Scramble your keys (Score:2)
Granted, not ideal, but will help against trivial keyloggers.
Re:Scramble your keys (Score:5, Informative)
Re:Scramble your keys (Score:2)
Re:Scramble your keys (Score:2)
A 'focus-change' message does not come out through the keyboard, and therefore is not logged. The best a keystroke logger can do toward a shift change is like
Re:Scramble your keys (Score:4, Interesting)
He means like this:
1) type in 'word'
2) move the pointer (caret) to the left 'w'.
3) Finish typing 'pass' - you now have 'password' but the keylogger recorded 'wordpass'
Re:Scramble your keys (Score:2)
Re:Scramble your keys (Score:5, Insightful)
Re:Can't exactly do that on a public terminal.. (Score:3, Informative)
Re:Can't exactly do that on a public terminal.. (Score:3, Insightful)
Re:Scramble your keys (Score:2, Interesting)
Re:Scramble your keys (Score:2)
MOD PARENT UP!!! (Score:2)
Good idea.
Enter some characters in the password field. Then use the mouse to erase some of those characters. Then put the cursor in a different position than it was originally, and enter some more characters.
ALL banks should be required by law to use randomly presented images in a challenge-response system.
It's a pity that the only things that can be done now in the U.S. government involve paying some politician, so needed changes aren't made.
Call the bank to enable any transaction. (Score:2)
Also:
Copy and Paste your password into the password field.
Another security measure for banks would be to require that you call the bank to enable any transaction you just entered.
Re: (Score:2, Insightful)
Re:Talented (Score:3, Insightful)
Not necessarily. It could just be that phishing might just pay more than doing an honest job.
Re:Talented (Score:4, Insightful)
Plus, if they have enough skill to phish efficiently and successfully, then they can probably get a job somewehere.
Re:Talented (Score:2)
They hate sitting in the cube, and all they want for eight hours is out. So they don't do it.
They've got other talents anyways.
Re:Talented (Score:2)
Tell that to the people two doors down from me - they're dealing drugs while the local McDonald's is has a 'help wanted' sign. Go figure. The kicker - these bums are also on welfare.
Some people would rather scheme and steak $1 instead of making $10 honestly.
Re:Talented (Score:4, Informative)
Re:Talented (Score:2)
Re:Talented (Score:2)
After you deduct what they snort up their nose, have to pay their pimp, and what have you - their lifestyle sucks. Shitty cars, beatup section 8 housing, bastard children running around, cops looking for them, health problems, never been to europe, skanky infected women, no teeth, cheap rims, can't read, government cheese. No dignity.
Drug dealing is it's own wo
Re:Talented (Score:3, Funny)
And, as we all know, the average McDork manages to summer on the continent at least once every few years.
I'm a burglar because there are no jobs! (Score:2)
Criminals, particularly skilled and intelligent ones, don't just turn to crime to keep from starving. They do it for the rush or because they find regular work boring etc.
At the end of the day, there is no real difference between phishers than pick-pockets, except that phishers are cowardly and do things remotely (and so avoid - mostly - get
Teach a man to Phish (Score:5, Funny)
Exactly. I saw this guy the other day on the street with a sign that said "Will Phish for food."
Re:Teach a man to Phish (Score:4, Funny)
Give a man a fish and he'll be fed for one day.
Teach a man to phish and he'll steal for the rest of his life.
Secure yourself! (Score:5, Funny)
Re:Secure yourself! (Score:2)
Re:Secure yourself! (Score:2)
I still like to do the 'switch the N and M keys' trick to annoy people who can't touch type.
It's very amusing to see that there are a few people who completely lose their cool when they can't figure out how to type
Re:Secure yourself! (Score:2, Funny)
Well, just take away their wood (Score:5, Funny)
If we just take away the Wood on the Internets, the Loggers will go home. And then they'll stop phishing for Newbs
That's what I've heard (Score:5, Insightful)
I find myself, when on public machines, typing extra characters in my passwords and then using the mouse to highlight them and type over them. This makes my passwords (which are already random letters/numbers) seem longer than they really are with gibberish if they are logged as keystrokes. Unfortunately, some software keyloggers can detect exactly what the input into forms are -- this does not help with that. It is also quite a hassle, but what can I say? I'm a bit paranoid (but, I believe, right so).
Keylogging is the easiest way to get people's information. The only solution I see is to ensure all public machines are much more secure from the user's end, and to actually have the machine itself inaccessible (i.e. locked in a drawer, etc.). I guess the only 'perfect' solution (if there is one) would be to use a keyboard that is projected from an inaccessible area, so that it cannot be tampered with whatsoever.
Nothing's perfect, but we can do better than we're doing in public locations!
Re:That's what I've heard (Score:3, Interesting)
Re:That's what I've heard (Score:2)
Re:That's what I've heard (Score:2)
Yeah... (Score:2, Redundant)
Old exploit, new name (Score:2, Interesting)
Phishers are virus writers with a financial motive, nothing more. In fact, most virus writers these days are financially motivated (like setting up zombie networks for extortion attempts). Why di
SOLUTION! (Score:2, Funny)
Re:SOLUTION! (Score:2)
Informative Link (Score:4, Informative)
In the interest of stimulating more informed discussion, the results of the Anti-Phishing Working Group survey can be found here [earthlink.net].
Pharmers (Score:3, Informative)
Not a problem with Windows Trusted Keyboard... (Score:2, Funny)
Summary misleading. (Score:3, Insightful)
dictionary.com entry
Main Entry: phishing
Definition: the practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords [...]
You can install a keylogger to steal someone's passwords, credit card numbers, etc but calling it a trojan horse or a browser/email client exploit would be much more appropriate.
Here's an Idea... (Score:2, Insightful)
I was disappointed reading the article. I was hoping they would go into more technical details like how these programs work, and how to detect some of them. As some pointed out already, the article just merely states the obvious, people using whatever tehcniques they ca
How about not wasting law enforcement? (Score:3, Insightful)
Need an easy workaround? (Score:2)
If you are cheap, and can't afford a Klingon Keyboard, then just use klingon phrases and throughout your work and play. How are phishers supposed to know that "Bocktagh Massacre" is your username, or that "I eat raw Kitblagh." is your bank's password?
So, until the keyloggers come with screenscrapers, I figure I'm safe no matter what computer I'm sitting at.
Re:Need an easy workaround? (Score:2)
Re:Need an easy workaround? (Score:2)
Easy Fix (Score:2, Insightful)
1. Don't use public access terminals for your important transactions.
2. Don't let you home computer become infected with tons of malware.
3. Go back to snailmail and telephones for those transactions... ok not a great solution but a logger can't get your bank password if your sending checks to pay your bills, reading paper statements and calling the bank for your balance.
Secure keyboards (Score:5, Interesting)
Re:Secure keyboards (Score:4, Insightful)
new employees at Slashdot recently? (Score:2)
Re:new employees at Slashdot recently? (Score:2)
firstdirect has a nice stopgap (Score:4, Interesting)
if my password is "spaghetti bolognese", it might request three letters out of that, say "pgg". It's still vulnerable to man-in-the-middle but keylogging alone is of limited use.
Which makes me wonder why they don't just do man in the middle trojans which trigger off against known online banking domains...
Lure? (Score:2)
Lure is more synonymous with "bait". Crappy email messages are the bait. The use of keyloggers as a tool is more the trap than a lure.
Phishers or miners? (Score:5, Insightful)
Ultimately how identity information is revealed aside, is this a phishing attempt or a mining attempt?
Phishing has traditionally been initiated by a cleverly socially engineered email or some form of communication, redirecting the unsuspecting user to a counterfeit site designed to harvest that information. Like putting a worm on a hook and dropping it in the water, you hope for someone to nibble at it.
Mining on the other hand is like picking away at the ground, in this case undetected, hoping to find that cache of gold. There's no guarantee that you'll even find anything, and once keylogging software is installed on the victim's PC, there is no user interaction with it. There is no social engineering to be done.
So therefore, wouldn't keylogging really be more mining than phishing? Or should I stop wasting my time on
Technically right but could be a pairing (Score:4, Interesting)
I don't know if they do that though, it just seems like something they would do...
US Banks are plain stupid (Score:2)
The solution is quite simple: Require more than a simple password.
Since remote access to bank accounts became possible, somewhere in the late eighties, every financial institution did use more than a password for authentification. Either a one time password pad or challenge/response procedure is used. This might have to do with Swiss paranoia, but I think it as an absolute necessity.
Why oh why do US banks think they can get away with a simple, cheap password ?
Markus
Rapidly becoming? (Score:4, Interesting)
Puh-leeze! (Score:2)
Select chars from dropdown boxes. (Score:2)
But... then it isn't phising (Score:2)
This is sort of like saying "Muggers are starting to steal credit card numbers online, and are using them to commit a mugging by buying things with them".
In fact, it isn't even phisHing (Score:2)
Perhaps it's time to spoof the phishers (Score:2)
Boot from CD (Score:2)
SMS authentication (Score:3, Interesting)
Re:From a quick scan of TFA (Score:2, Interesting)
I think shipping a product that, taken out of the box and connected to the internet as is, stops working in very short order is negligent. If I bought a toaster I think I should be reasonable able to make toast with it for at leas
Re:From a quick scan of TFA (Score:4, Informative)
Not for quite some time now. The Outlook 2003 default Inbox view is no preview pane, and the default condition for images is off, unless you right click to display.
Re:From a quick scan of TFA (Score:3, Informative)
Re:From a quick scan of TFA (Score:3, Informative)
Still far more than free, but not $500.
Re:Old is not bad in all the cases (Score:2)
Re:do your banking offline (Score:2)
The fact of the matter is that banks are open for businesses. The rest of us are thrown the internet and phone banking bone to shut us up as we're not valued customers.
Re:do your banking offline (Score:2)
Don't forget that many banks also now charge a $3 fee to deal with a real live teller rather than an ATM.