Jump to content
Sign in to follow this  
petzl

[media]Hotmail used to launch extortion scam

Recommended Posts

An interesting report although, to be honest, it uses a vulnerability that I've long been aware of. When travelling I make it a point not to connect to my Email accounts through Internet cafes. I use just a Google Mail account to send messages. So if anyone hacks into the mailbox there is nothing there to steal or mess with.

One of my banks has changed their online security so that logging in does not use keyboard strokes. Instead you key in the access codes using an on-screen keypad and mouse clicks.

Andrew

Share this post


Link to post
Share on other sites
An interesting report although, to be honest, it uses a vulnerability that I've long been aware of. When travelling I make it a point not to connect to my Email accounts through Internet cafes. I use just a Google Mail account to send messages. So if anyone hacks into the mailbox there is nothing there to steal or mess with.

One of my banks has changed their online security so that logging in does not use keyboard strokes. Instead you key in the access codes using an on-screen keypad and mouse clicks.

You may wish to evaluate this "Password Saver"

Allows 20 passwords in freeware mode, works from a USB device, Cannot be read by password "sniffers/loggers" (Hardware or Software). It even has its own virtual keyboard to create new password entries with

"Protection from keylogging (intercepting of keystrokes) – All password fields are internally protected from keylogging."

Share this post


Link to post
Share on other sites
...One of my banks has changed their online security so that logging in does not use keyboard strokes. Instead you key in the access codes using an on-screen keypad and mouse clicks.
So has mine Andrew. Unfortunately both are clueless
On-screen keyboards

Program-to-program (non-web) keyboards

It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not true, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text sent as typed characters from one program to another with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Web-based keyboards

Web-based on-screen keyboards (written in java scri_pt, etc.) may provide some degree of protection. At least some commercial keylogging programs do not record typing on a web-based virtual keyboard. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Share this post


Link to post
Share on other sites
So has mine Andrew. Unfortunately both are clueless

The Virtual Keyboard in the program I mention is for creating your own passwords only on ones own computer.

The "Form Filling program" suggested though can also random generate extremely secure passwords on its own. Using this program for "logging on" cannot be recorded by keyloggers, sniffer programs or even screen capture programs.

Automatic form filler programs

Automatic form-filling programs can prevent keylogging entirely by not using the keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. (Someone with access to browser internals and/or memory can often still get to this information; if SSL is not used, network sniffers and proxy tools can easily be used to obtain private information too.)

It is important to generate passwords in a fashion that is invisible to keyloggers and screenshot utilities. Using a browser integrated form filler and password generator that does not just pop up a password on the screen is therefore key. Programs that do this can generate and fill passwords without ever using the keyboard or clipboard.

Thanks for the link most informative

Share this post


Link to post
Share on other sites

Hi Farelf,

I see you're in WA... I'm in NSW and I use CUA for some of my online banking. Their electronic banking ("Web Banker") site has an on-screen keypad which the user has to click with the mouse to enter the password. The virtual "keys" change their relative positions with each new login session. Would this be subject to the same weaknesses as the on-screen virtual keyboards you describe in your earlier post?

Just wondering...

Share this post


Link to post
Share on other sites
Would this be subject to the same weaknesses as the on-screen virtual keyboards you describe in your earlier post?

The weakness is exploited only if you are using a machine with keylogging program running and or a screen capture program

True security is to make sure your computer is secure

The easiest (IMO) is (windows Machines) is to purchase (US$40) Microsofts OneCare

For excellent freeware alternatives go through my signature and install each program if you do not have a equivalent program running

Be suspicious of any untrusted computer like at Internet Cafe, library etc

Share this post


Link to post
Share on other sites
...The virtual "keys" change their relative positions with each new login session. Would this be subject to the same weaknesses as the on-screen virtual keyboards you describe in your earlier post?
Hi csouter. As petzl says the keylogger/screencapture has to be installed in the first place. Best policy is to ward and check (as petzl also says). Malware infestation can be easier done than it might seem, according to the gurus (okay, they have a vested interest but evidence appears to support them). IF one such recorder is installed and it is a high speed type then the jumbled keyboard would make things about as difficult for a snoop as it does for you to use it, I would think. Nice idea but actual security value is questionable IMO, actually more of an imposition on you, the user, perhaps. Check your account balances frequently - processes for "guessing" card account numbers (which are partially formulaic anyway) and passwords which are analogous to dictionary attacks on email addresses are feasible - IOW malware ain't the only concern. In Oz the financial institution has primary responsibility in the event of fraud - but it becomes your responsibility PDQ if there is any way for them to weasel out of it. What's the line - "be alert but not alarmed"?

Share this post


Link to post
Share on other sites
True security is to make sure your computer is secure

The easiest (IMO) is (windows Machines) is to purchase (US$40) Microsofts OneCare

For excellent freeware alternatives go through my signature and install each program if you do not have a equivalent program running

Be suspicious of any untrusted computer like at Internet Cafe, library etc

As petzl says the keylogger/screencapture has to be installed in the first place. Best policy is to ward and check (as petzl also says). Malware infestation can be easier done than it might seem, according to the gurus (okay, they have a vested interest but evidence appears to support them). <SNIP> Nice idea but actual security value is questionable IMO, actually more of an imposition on you, the user, perhaps. <SNIP> In Oz the financial institution has primary responsibility in the event of fraud - but it becomes your responsibility PDQ if there is any way for them to weasel out of it. What's the line - "be alert but not alarmed"?

Thank you both for your info. It sets my mind at rest somewhat, because I only use Windows when I have absolutely no way of avoiding it, and certainly never when transmitting sensitive financial information over the internet; I would certainly never use a public computer for such a purpose under any circumstances.

At home, I use OS/2 for any sensitive online transactions. It's virus-, spyware- and trojan-proof, doesn't respond to VBS worms and generally cannot be exploited by any of the Windows-centric malware that is floating around out there. Unfortunately, it's not spam-proof! But, then again, neither is any other OS :(

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×