petzl Posted December 13, 2006 Share Posted December 13, 2006 http://www.zdnet.com.au/news/security/soa/Hotmail_used_to_launch_extortion_scam/0,130061744,339272681,00.htm Link to comment Share on other sites More sharing options...
agsteele Posted December 14, 2006 Share Posted December 14, 2006 An interesting report although, to be honest, it uses a vulnerability that I've long been aware of. When travelling I make it a point not to connect to my Email accounts through Internet cafes. I use just a Google Mail account to send messages. So if anyone hacks into the mailbox there is nothing there to steal or mess with. One of my banks has changed their online security so that logging in does not use keyboard strokes. Instead you key in the access codes using an on-screen keypad and mouse clicks. Andrew Link to comment Share on other sites More sharing options...
petzl Posted December 14, 2006 Author Share Posted December 14, 2006 An interesting report although, to be honest, it uses a vulnerability that I've long been aware of. When travelling I make it a point not to connect to my Email accounts through Internet cafes. I use just a Google Mail account to send messages. So if anyone hacks into the mailbox there is nothing there to steal or mess with. One of my banks has changed their online security so that logging in does not use keyboard strokes. Instead you key in the access codes using an on-screen keypad and mouse clicks. You may wish to evaluate this "Password Saver" Allows 20 passwords in freeware mode, works from a USB device, Cannot be read by password "sniffers/loggers" (Hardware or Software). It even has its own virtual keyboard to create new password entries with "Protection from keylogging (intercepting of keystrokes) – All password fields are internally protected from keylogging." Link to comment Share on other sites More sharing options...
Farelf Posted December 14, 2006 Share Posted December 14, 2006 ...One of my banks has changed their online security so that logging in does not use keyboard strokes. Instead you key in the access codes using an on-screen keypad and mouse clicks.So has mine Andrew. Unfortunately both are clueless On-screen keyboards Program-to-program (non-web) keyboards It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not true, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text sent as typed characters from one program to another with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.) Web-based keyboards Web-based on-screen keyboards (written in java scri_pt, etc.) may provide some degree of protection. At least some commercial keylogging programs do not record typing on a web-based virtual keyboard. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.) Link to comment Share on other sites More sharing options...
petzl Posted December 14, 2006 Author Share Posted December 14, 2006 So has mine Andrew. Unfortunately both are clueless The Virtual Keyboard in the program I mention is for creating your own passwords only on ones own computer. The "Form Filling program" suggested though can also random generate extremely secure passwords on its own. Using this program for "logging on" cannot be recorded by keyloggers, sniffer programs or even screen capture programs. Automatic form filler programs Automatic form-filling programs can prevent keylogging entirely by not using the keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. (Someone with access to browser internals and/or memory can often still get to this information; if SSL is not used, network sniffers and proxy tools can easily be used to obtain private information too.) It is important to generate passwords in a fashion that is invisible to keyloggers and screenshot utilities. Using a browser integrated form filler and password generator that does not just pop up a password on the screen is therefore key. Programs that do this can generate and fill passwords without ever using the keyboard or clipboard. Thanks for the link most informative Link to comment Share on other sites More sharing options...
csouter Posted January 6, 2007 Share Posted January 6, 2007 Hi Farelf, I see you're in WA... I'm in NSW and I use CUA for some of my online banking. Their electronic banking ("Web Banker") site has an on-screen keypad which the user has to click with the mouse to enter the password. The virtual "keys" change their relative positions with each new login session. Would this be subject to the same weaknesses as the on-screen virtual keyboards you describe in your earlier post? Just wondering... Link to comment Share on other sites More sharing options...
petzl Posted January 6, 2007 Author Share Posted January 6, 2007 Would this be subject to the same weaknesses as the on-screen virtual keyboards you describe in your earlier post? The weakness is exploited only if you are using a machine with keylogging program running and or a screen capture program True security is to make sure your computer is secure The easiest (IMO) is (windows Machines) is to purchase (US$40) Microsofts OneCare For excellent freeware alternatives go through my signature and install each program if you do not have a equivalent program running Be suspicious of any untrusted computer like at Internet Cafe, library etc Link to comment Share on other sites More sharing options...
Farelf Posted January 6, 2007 Share Posted January 6, 2007 ...The virtual "keys" change their relative positions with each new login session. Would this be subject to the same weaknesses as the on-screen virtual keyboards you describe in your earlier post?Hi csouter. As petzl says the keylogger/screencapture has to be installed in the first place. Best policy is to ward and check (as petzl also says). Malware infestation can be easier done than it might seem, according to the gurus (okay, they have a vested interest but evidence appears to support them). IF one such recorder is installed and it is a high speed type then the jumbled keyboard would make things about as difficult for a snoop as it does for you to use it, I would think. Nice idea but actual security value is questionable IMO, actually more of an imposition on you, the user, perhaps. Check your account balances frequently - processes for "guessing" card account numbers (which are partially formulaic anyway) and passwords which are analogous to dictionary attacks on email addresses are feasible - IOW malware ain't the only concern. In Oz the financial institution has primary responsibility in the event of fraud - but it becomes your responsibility PDQ if there is any way for them to weasel out of it. What's the line - "be alert but not alarmed"? Link to comment Share on other sites More sharing options...
csouter Posted January 6, 2007 Share Posted January 6, 2007 True security is to make sure your computer is secure The easiest (IMO) is (windows Machines) is to purchase (US$40) Microsofts OneCare For excellent freeware alternatives go through my signature and install each program if you do not have a equivalent program running Be suspicious of any untrusted computer like at Internet Cafe, library etc As petzl says the keylogger/screencapture has to be installed in the first place. Best policy is to ward and check (as petzl also says). Malware infestation can be easier done than it might seem, according to the gurus (okay, they have a vested interest but evidence appears to support them). <SNIP> Nice idea but actual security value is questionable IMO, actually more of an imposition on you, the user, perhaps. <SNIP> In Oz the financial institution has primary responsibility in the event of fraud - but it becomes your responsibility PDQ if there is any way for them to weasel out of it. What's the line - "be alert but not alarmed"? Thank you both for your info. It sets my mind at rest somewhat, because I only use Windows when I have absolutely no way of avoiding it, and certainly never when transmitting sensitive financial information over the internet; I would certainly never use a public computer for such a purpose under any circumstances. At home, I use OS/2 for any sensitive online transactions. It's virus-, spyware- and trojan-proof, doesn't respond to VBS worms and generally cannot be exploited by any of the Windows-centric malware that is floating around out there. Unfortunately, it's not spam-proof! But, then again, neither is any other OS Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.