Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Real-Time Keyloggers

kdawson posted more than 5 years ago | from the taking-a-leaf-from-twitter dept.

Security 205

The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."

Sorry! There are no comments related to the filter you selected.

Real Time? (5, Funny)

Anonymous Coward | more than 5 years ago | (#29166441)

My Windoze apps at work don't even respond in real time. Maybe the trojan provides a free performance boost?

Re:Real Time? (1)

commodore64_love (1445365) | more than 5 years ago | (#29166909)

Go into Task Manager.
Select program you want to run in real time
Right click and "go to process"
Right click and "set priority"
Choose real time.

Easy. I do this for Windows Media Player since it eliminates annoying lags while watching the pro....er, downloaded movies.

Re:Real Time? (4, Funny)

Inner_Child (946194) | more than 5 years ago | (#29167363)

I understand, it's embarrassing to admit to watching professional wrestling...

Re:Real Time? (1)

shentino (1139071) | more than 5 years ago | (#29166947)

Well, lubrication does often make things go faster...

OTP !! (0)

Anonymous Coward | more than 5 years ago | (#29166451)

RSA Secuid is a one time password,it can't be reused.

Re:OTP !! (4, Insightful)

shird (566377) | more than 5 years ago | (#29166523)

That doesn't stop them from blocking your login such that they are the only ones using the password/id. They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.

Re:OTP !! (4, Insightful)

Jah-Wren Ryel (80510) | more than 5 years ago | (#29166757)

They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.

If they are smart they can even provide a fake error page once they've acquired the credentials that tells the user that the site is "experiencing technical difficulties" and that they should please try again in 15 minutes. 99.99% of users won't think a thing of it.

Re:OTP !! (1)

kabloom (755503) | more than 5 years ago | (#29167813)

That's probably a really hard hack to pull off. But I doubt most users would notice anything if they got an RSA SecurID password wrong once -- they'd assume it's a typo.

(By the way, I don't see any information saying RSA SecurID only lets you use the token once. Sure it changes every 60 seconds, so that's as good as "once", but if two people happened to be racing to type in the same code at the same time, I don't see anything saying it would deny access.)

Re:OTP !! (1)

growse (928427) | more than 5 years ago | (#29166711)

Think it's Cain and Able that can work out successive securID values based on 3 or 4 sequential correct values. What we really need is challenge response, done properly.

Execute Them (0, Flamebait)

Nom du Keyboard (633989) | more than 5 years ago | (#29166459)

Only when we start immediately and publicly executing these hackers whenever we discover them will we start to put a dent into this problem. Frankly, I don't think that they'll be missed afterwards.

IT'S MADONNA'S BIRTHDAY TODAY! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29166571)

Madonna is 51!

HAPPY BIRTHDAY MADONNA!

I made it through the wilderness
Somehow I made it through
Didn't know how lost I was
Until I found you

I was beat incomplete
Id been had, I was sad and blue
But you made me feel
Yeah, you made me feel
Shiny and new

Chorus:

Like a virgin
Touched for the very first time
Like a virgin
When your heart beats (after first time, with your heartbeat)
Next to mine

Gonna give you all my love, boy
My fear is fading fast
Been saving it all for you
cause only love can last

You're so fine and you're mine
Make me strong, yeah you make me bold
Oh your love thawed out
Yeah, your love thawed out
What was scared and cold

MADONNA IS THE BEST!

Execute them? No. Catch them. (4, Insightful)

John Hasler (414242) | more than 5 years ago | (#29166591)

No need to execute them. No need to punish them severely at all. We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence. Given the present one in 100 million risk of being caught an 18th century hanging would offer no significant deterrence.

This applies to crime in general as well.

Well I agree but (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29166827)

Its not like we don't know what countries most of this Cracker crap is coming from. We need to deal effectively with the nations that are lax on this stuff. They are lax because it serves their political interest. Eastern Europe is a big place but rather authoritarian. This stuff could would stop over night if they wanted to stop it.

Re:Well I agree but (3, Insightful)

Eudial (590661) | more than 5 years ago | (#29166893)

It's hard to motivate to your voters why you need to spend huge amounts of tax money chasing down cyber criminals that mostly operate abroad, thus not affecting your country in the slightest, when that money could go to catching criminals that do, or to education, health care, whatever.

Likely known (0)

Anonymous Coward | more than 5 years ago | (#29166939)

I am pretty sure they know who the "cyber criminals" are mostly.

Re:Well I agree but (1)

younata (1555631) | more than 5 years ago | (#29167475)

I like not having my money stolen. That would be reason enough, right?

Re:Well I agree but (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29167591)

Most of these crackers operate with the full knowledge of the "governments" of the countries they reside in.

Re:Execute them? No. Catch them. (1)

commodore64_love (1445365) | more than 5 years ago | (#29166935)

>>>Given the present one in 100 million risk of being caught...

And since our lazy leaders, who don't even bother to read the bills they pass, are unlikely to change this statistic, I'm going to go close my online bank account right now. The last thing I need is some asshole swiping my half-million life savings. I'll just drive to the bank instead.

Re:Execute them? No. Catch them. (3, Insightful)

schon (31600) | more than 5 years ago | (#29166937)

We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence.

Your post displays a lack of understanding of the criminal mind. Don't feel too bad though, because most people (especially lawmakers) have the same lack of understanding.

The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught. Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.

No single "criminal mind" (3, Insightful)

davidwr (791652) | more than 5 years ago | (#29167425)

Your post displays a lack of understanding of the criminal mind. [snip] The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught.

There is no single "criminal mind."

True, many criminals grossly underestimate the chances of getting caught or suffering significant consequences.

Some, those who who protest against governments in violation of the law or who steal from the rich to give to the poor, do so for a real or imagined higher purpose.

Others are aware of the consequences but get some benefit out of it, such as the thrill of "getting away with it," the thrill of showing they are, at least this time, more powerful than their victim or society, the thrill or other benefits of a drug high, or simply for financial gain.

I can give you a USA-based example with misdemeanor speeding tickets: Many people spend their entire adult life speeding 5-10% over the speed limit on the highways even when it is safe to go the speed limit, knowing they will get caught a few times a decade. For them, it's simply a matter of cost-vs-benefit. In some parts of the world or for people with certain political connections, the cost-benefit equation for fraud favors the criminal.

Re:No single "criminal mind" (1)

commodore64_love (1445365) | more than 5 years ago | (#29167547)

U.S. speed limits are also set artificially low.

How else can you explain an engineering report that lists 120mph as the designed maximum limit for an interstate, and an 85mph recommended limit for travel, but somehow gets signed at 65? The only reason I can conclude why politicians ignore engineers' recommendations is because the politicians view the twenty mph gap as an opportunity - to increase tax revenue.

And of course the Bernie Madoff-like scammers we call insurance companies also benefit because they can double or triple your rates if you get speeding tickets, even if you are a perfect driver who's never wrecked.

Learn some history (3, Insightful)

davidwr (791652) | more than 5 years ago | (#29168207)

The speed limit was set to 55mph in the mid-70s to conserve oil.

Even with today's fuel-efficient cars, going 65 saves money over going 85.

This is for at least two reasons:
* atmospheric drag
* engine efficiency

The former you can't do much about save driving with a tail-wind: You will get more drag at 85 than 65, and more drag at 65 than 45, more at 45 than 25, and more at 25 than at a dead stop.

The second is determined by the car's engineering. For cars sold in America, most have maximum engine efficiency somewhere in mid-RPM range, corresponding to somewhere in the 50-70mph range in top gear. Any faster than that and you'll lose efficiency.

As long as people are focused on pollution, don't expect wholesale speed-limit reductions, especially in urban areas.

Oh, there is also the safety factor: Even on a road designed for 85mph travel, that's with a given level of traffic and with a given driver behavior pattern. If the traffic is lighter and the drivers behave "better" the ideal speed may be higher, if the traffic is heavier or you have someone weaving in and out of traffic, or even adverse weather or night driving, the ideal speed may be lower.

Speed limits need to be set on a case by case basis for each road segment, taking into account typical actual traffic patterns including typical actual speeds, the accident and near-accident history of the road, pollution levels in the region and downwind, and other factors. The national maximum of 80-ish mph may be too low, but there are very few places near cities where anything higher than even 70mph makes sense.

Re:No single "criminal mind" (0)

Anonymous Coward | more than 5 years ago | (#29168015)

I can give you a USA-based example with misdemeanor speeding tickets: Many people spend their entire adult life speeding 5-10% over the speed limit on the highways even when it is safe to go the speed limit, knowing they will get caught a few times a decade.

Uh, do you live in the US? Every single person everywhere drives 5 MPH over the limit and that's almost always at least 10% over (40 in a 35 is 14% over). I have never known anyone anywhere to get a speeding ticket for 5 over. I have known people to get stopped for 5 over but it was always because the cop just wanted to check them out for some reason (suspected drunk driving or whatever) but even they never got a ticket for it.

The people that drive 7 MPH over the limit are the ones that will get a ticket once in a blue moon. 10 over and you're going to be getting them all the time.

People do not do this to "get away with it" or whatever, they do it because they like going faster. Most people will go as fast as they can just because you get where you're going faster and it's fun. In no way is it because of some feeling of getting away with a crime. That's ridiculous. Some people maybe but they are rare.

Re:Execute them? No. Catch them. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29168137)

"Your post displays a lack of understanding of the criminal mind."

    Who the fuck do you think you are? Axel Foley? Your post displays a lack of open-mindedness and foresight.

    So you're saying that an increase in the number of arrests (by percent) would not deter criminals, or - to give you the benefit of the doubt - enough to make a difference? Why don't you take a look at the statistics. With respect to that, it seems that perhaps an increase in probability of arrest would be something of a deterrent. Needless to say, making those arrests, that is, not ignoring them as you would do, would also keep those who disregard the law entirely from repeating their offense. Here is a nice chart indicating percent change of crimes from one year to the next.

    There will always be people who don't care about the consequences of their actions, and those actions will always be the more damaging when the "unthinkable" occurs (i.e. 9/11, Columbine, and so forth), but one thing that the threat of punishment can do is deter the would-be criminals with weaker motivations or morals that are not completely skewed. This wont prevent the "unthinkable," but it will keep more people from committing most crimes. The main problem with trying to prosecute international cyber-crimes is jurisdiction, which would likely cause a larger bureaucratic mess than the crime itself.

    Punishment is supposed to be about demotivation, though the Us doesn't have a great track record on demotivating those convicted of their crimes. The threat however, is likely a more powerful demotivator to those who would be susceptible to being talked out of committing the crime.

    Statistically speaking, if it were possible to find and prosecute a sizable enough number of any group of criminals, it would seriously deter enough of them to represent a decrease in the volume of acts committed.

    To get back on topic, one time pads and other methods should have been implemented by financial institutions to begin with. This sending of unencrypted bank information - especially to cell phones - to and from clients is ridiculous.

- Spades

Re:Execute them? Immunology (1)

mindbrane (1548037) | more than 5 years ago | (#29167097)

The human immune system is in part adaptive. It learns, or, acquires a repertoire of effective actions against invading antigens. The black hats drive PC and Internet security. In a sense their critical doubt run amok, but, as such, push innovative responses. In the late 90's the Internet was alive with crackers and script kiddies. There was a one time a community of reverse engineering that "boasted" a University. I'm not saying they're good. There a bad pain in the ass but I'd rather give their kind enough room on the Internet to allow white hats to keep the best possible eye on them. How lame would PC security be without being incessantly tested?

Biometrics (-1)

Nefarious Wheel (628136) | more than 5 years ago | (#29166463)

Ah well, what science can invent, science can circumvent. Unless we meet any friendly Arisians.

RSA was good while it lasted. It's still better than nothing. Looks like we may need to invest in biometric laptops for the crew. What a pain.

Re:Biometrics (3, Informative)

vux984 (928602) | more than 5 years ago | (#29166539)

RSA was good while it lasted. It's still better than nothing. Looks like we may need to invest in biometric laptops for the crew. What a pain.

Reread what they are doing, biometric laptops won't help. They could capture the biometric data as easily as the keyboard data.

Re:Biometrics (5, Funny)

John Hasler (414242) | more than 5 years ago | (#29166657)

Anything to avoid a secure OS eh?

Re:Biometrics (3, Informative)

Anonymous Coward | more than 5 years ago | (#29167387)

First of all, RSA SecurID has nothing to do with the algorithm RSA (besides being created by the same people).

Second, biometrics won't help at all since they can simply transmit the biometric data back and have *permanent* access to whatever system uses it.

Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords. If the hacker tries to log in to the system using the same password the victim just did, he will be rejected since that password was already used. If he keeps trying to do this, they will probably detect the attack and remove the trojan (not to mention that a single event where the same password is used twice from two different locations is already suspicious enough). If he somehow manages to get the password and log in with it before the victim does (even though at this point the victim has already entered his password), the victim will not be able to log in and quickly detect the problem.

Thwarted by properly designed online banking (4, Informative)

upside (574799) | more than 5 years ago | (#29166469)

Again, a proper banking system like my bank uses

- a one time pad for logging on
- another set of codes, from which one is picked randomly, to confirm transfers

The one time pad means they can't open a second session. Even if they could hijack the session I've opened they can't transfer money without my explicitly authorizing each transfer by entering the second code.

Re:Thwarted by properly designed online banking (0)

Anonymous Coward | more than 5 years ago | (#29166675)

Mine does this too. It is (almost) impossible to transfer funds to an unknown account without a key-signing operation, in which I see the destination account number.
But i'm sure people are dumb enough to sign whatever the computer asks them to, so it's not foolproof.

Re:Thwarted by properly designed online banking (1)

fbjon (692006) | more than 5 years ago | (#29166721)

Technically, it's possible to modify the browser itself so it inserts unwanted transactions into the list, but hides them from view for the user, and then just waits for them to get confirmed in conjunction with some other transaction made by the user. Don't know if it's worth the trouble though.

Re:Thwarted by properly designed online banking (3, Insightful)

CrashandDie (1114135) | more than 5 years ago | (#29167023)

A good solution (read as "implementation") would consist of a challenge that the user can verify corresponds to the transaction he wishes to do. Four first digits of the Challenge are the four last digits of the sum. Six last digits of the Challenge are the six first digits of the target bank account. Etc.

Nobody can expect good security if the user doesn't watch out and double checks what's happening. The attack you're talking of could very well be done to a poor old lady paying her bills for the month in front of her bank manager. Just slip a bill she shouldn't pay: if neither she or the bank pay attention, the money will be stolen.

Even though I work in this field, and I'd love to come up with a solution that fixes all the issues, I just don't believe it. There will always be monkeys reading through tons of transactions, trying to spot the one that doesn't belong, and you will always having your credit card company calling you when suddenly there's $5k flying through some casino 800 miles from your residence.

There is no ultimate security when it comes to banking apps, especially when you give end-users, and thus end-computers (which can and will be infected/modified/hacked in all ways imaginable or not) access to your application, you can't trust it. The only thing we can try to do is mitigate the risk for the general population, and hope we can filter out the few hacks. If you don't spot it, just pay the bill. The amount of money you lose that way will always be less than trying to fund impossible research that may yield nothing at all.

Re:Thwarted by properly designed online banking (3, Interesting)

Jah-Wren Ryel (80510) | more than 5 years ago | (#29166731)

The one time pad means they can't open a second session.

RSA secure-id keys are single-use too. They roll every minute but they also roll on every successful use.

Re:Thwarted by properly designed online banking (1)

mce (509) | more than 5 years ago | (#29167141)

For starters, I don't think they roll on success (how would the device know, by the way?). -- Disclaimer: I'm holding one in my hand right now, so I'm pretty sure. ;-)

But even if they would: the legitimate user would not be able to know the difference between a failure due to making a typo and a failure due to some hacker beating him to the line. So he'd assume the former and simply try again, not understanding that someone else is active at the same time. Providing such a false sense of security, doesn't sound like good design...

Re:Thwarted by properly designed online banking (5, Informative)

Jah-Wren Ryel (80510) | more than 5 years ago | (#29167189)

For starters, I don't think they roll on success (how would the device know, by the way?).

The server enforces it. You can't authenticate multiple times with the same token. The server returns an "an already used" code if it was recently used. I know this because I've written software that uses RSA's secure-id toolkit.

But even if they would: the legitimate user would not be able to know the difference between a failure due to making a typo and a failure due to some hacker beating him to the line.

Again, see the point out about return values from the server-side. The application may choose to report this information directly to the user or simply flag it for the security team to investigate further. I prefer the later because false positives are going to be pretty rare unless the client software is broken in other ways.

Re:Thwarted by properly designed online banking (0)

Anonymous Coward | more than 5 years ago | (#29166815)

Uh no. A proper security system has to work as follows.

You have a dongle that you can insert between the keyboard and the computer machine that signs each keystroke. If you do this then the bank can verify that the input is passing through the dongle. Including the users password. Note that the dongle can be built into the computer if needed, for instance on a laptop.

Re:Thwarted by properly designed online banking (2, Interesting)

Anonymous Coward | more than 5 years ago | (#29166867)

An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction.
No need to carry a one-time pad around or a special code generator

Re:Thwarted by properly designed online banking (3, Interesting)

Jah-Wren Ryel (80510) | more than 5 years ago | (#29167219)

An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction.

That's common in Europe too. But the result has been that hacking sms in various [softpedia.com] ways has become of great interest to thieves. If they don't already exist, you can count on seeing java trojans for cells phones that silently forward SMS too.

Re:Thwarted by properly designed online banking (1)

Grieviant (1598761) | more than 5 years ago | (#29167859)

An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction. No need to carry a one-time pad around or a special code generator

Could this be made stronger by requiring an actual voice message to be sent as a response, to which the bank could apply a voice recognition algorithm to verify that it was actually sent by you? It wouldn't have to be a true confirmation "voice message" per se, but the alphanumeric code spoken rather than keyed.

Re:Thwarted by properly designed online banking (0)

Anonymous Coward | more than 5 years ago | (#29166887)

You're confused, One-Time Pad [wikipedia.org] != One-Time Password [wikipedia.org] .

Re:Thwarted by properly designed online banking (0)

Anonymous Coward | more than 5 years ago | (#29166923)

They can, however, act as a MITM and perform a transfer they desire while displaying it as the transfer you desired. Without a trusted hash or cipher on your end, you're ultimately screwed.

I don't know why the stupid RSA tokens don't have the banking interface built into them and talk SSL over bluetooth/USB for a much more secure solution. At the very least, they should be able to display the account numbers in question for a transfer, as well as the amount, and be used to sign that information so the bank will not be able to accept MITM'd transactions.

Re:Thwarted by properly designed online banking (5, Informative)

CrashandDie (1114135) | more than 5 years ago | (#29166931)

Disclaimer: I work for one of RSA's competitors in this domain.

The article focuses on RSA's SecurID, but one of the main drawbacks of RSA's SecurID is that it is only time based. Other companies also use event-counters, which means that you can't actually replay the attack.

The parent is right (and I should now, I deploy these solutions), most serious banks will use OTPs (One Time Passwords) for the initial log-on, but then require Challenge-Responses to sign the transactions (website provides a challenge, which can be a completely random number, or based on a number of variables: amount, target account, etc; this challenge is provided to the token (stupidly named "gadget" in the summary), and it spits out a response.) This can be verified by the server.

OTPs have always had this flaw, and this really isn't any news. I've heard of attacks were real-time keyloggers would interrupt the network connection (wifi, ethernet, whatever) on a software/OS level temporarily (I assume by refreshing the DHCP bumf) as to allow the attacker to use the OTP.

However, this can be easily thwarted.

Any good Authentication Server will provide the option to use seeded authentication, and even though this doesn't apply to OTPs (most OTP algorithms actually include clock counter (and event counter if it is implemented, not RSA's case) related information in the OTP, hence the whole OTP is required for authentication), it does apply to Memorable Data. For example, 2nd and 8th character of your secret passcode. Or for example, even better: multiply the 4th digit of your OTP with the 6th digit of your secret passcode. (OTP still required to be input completely). Yeah sure, given sufficient time, the attacker should be able to know what your passcode is, but heck, that's going to require quite some effort.

Wikipedia has a bit of a section about the MITM attacks vulnerabilities of OTPs (even though it is right in SecurID's article [wikipedia.org] , it doesn't apply to them alone, but to the concept as a whole). The main issue, however, with RSA's implementation isn't necessarily the MITM attack, but quite simply, stealing the token. It doesn't have a PIN code, heck, it even just shows the code the whole time (last one I checked did this), and I could read the number right off my friend's keychain.

Also, let us not forget that a one-time attack (which again, shouldn't be much of an issue if banks have a good solution that requires CRs for each transaction) on an account really isn't a big deal. It's a One-Time Password. It's only valid once. After he's visited the account, and seen the balance, that's about as far as he's going to go.

Nothing to see here, please move along. If anything, this is just going to drive our business a bit.

Re:Thwarted by properly designed online banking (0)

Anonymous Coward | more than 5 years ago | (#29167595)

Disclaimer: I work for one of RSA's competitors in this domain.

That's ok. Which one? Entrust? If Entrust had better support of OWA, cisco, radius & clustering my company probably would have gone with Entrust.

The article focuses on RSA's SecurID, but one of the main drawbacks of RSA's SecurID is that it is only time based. Other companies also use event-counters, which means that you can't actually replay the attack.

You can set your RSA SecurID server so that replay isn't allowed - even though the token changes every 60 seconds, it can only be used once in that 60 second time period, so replay isn't possible.

Actually, it can be annoying: I sit down at my desk and log on to my desktop with my token. Next, I log on to a different server - I have to wait until the token number changes before logging on to the next server.

Wikipedia has a bit of a section about the MITM attacks vulnerabilities of OTPs (even though it is right in SecurID's article, it doesn't apply to them alone, but to the concept as a whole). The main issue, however, with RSA's implementation isn't necessarily the MITM attack, but quite simply, stealing the token. It doesn't have a PIN code,

Normally RSA tokens do have a PIN code, and you need both the PIN and the token to log on. It's true that you can set the RSA SecurID server to NOT require a PIN, but RSA strongly recommends against it.

Personally, I think the biggest flaw of RSA securID is the abomination of the version 7.1 server. RSA reprogrammed the entire thing in java. What used to be a small fast lightweight app now requires 4 gigs of memory to run well, and even with that, it typically takes 10-15 minutes for the app to start.

I would prefer to use the 64-bit version & throw a lot of memory at it, but RSA's radius server doesn't yet work on 64-bit.

Re:Thwarted by properly designed online banking (0)

Anonymous Coward | more than 5 years ago | (#29167855)

My company uses RSA's SecurID tokens for VPN access and they do require a PIN along with the token code. You cannot simply read someone's token and log in with the number unless you also know their username and PIN.

Re:Thwarted by properly designed online banking (3, Funny)

bruno.fatia (989391) | more than 5 years ago | (#29167151)

My bank has so much more security that even when I want to I can't transfer anything!

Re:Thwarted by properly designed online banking (1)

ColdWetDog (752185) | more than 5 years ago | (#29167697)

My bank has so much more security that even when I want to I can't transfer anything!

You have to have the money in your account in the first place.... Most banks are pretty good at making sure that requirement is upheld. Sorry if it messes up your plans.

Re:Thwarted by properly designed online banking (1)

Quothz (683368) | more than 5 years ago | (#29167173)

The one time pad means they can't open a second session.

No, it means you can't open a second session. You never posted your login, because they control the vertical and the horizontal. Although the transfer confirmation code should stop 'em, one hopes.

Re:Thwarted by properly designed online banking (1)

timmarhy (659436) | more than 5 years ago | (#29167419)

my bank does something similar - all transfers require inital confirmation via an sms sent to my mobile.

Re:Thwarted by properly designed online banking (1)

ckaminski (82854) | more than 5 years ago | (#29167433)

Which bank is this, and how do you get your codes?

Sigh... (1)

Annwvyn (1611587) | more than 5 years ago | (#29166477)

"By going real time, hackers now can..." Exactly the kind of crap that gives REAL hackers a bad name to the lay-person. The douchebags stealing info from banks aren't hackers... they are thieves and crackers.

Re:Sigh... (1)

John Hasler (414242) | more than 5 years ago | (#29166673)

I think that the guys who write the software qualify as hackers. Evil hackers, but hackers nonetheless.

Re:Sigh... (1, Interesting)

commodore64_love (1445365) | more than 5 years ago | (#29167159)

>>>The douchebags stealing info from banks aren't hackers... they are thieves and crackers.

You don't know your definitions son. For as long as I can remember, a hacker was someone who broke-into secured computers. I don't see how you can claim there's anything "good" about such a person. (shrug). And a "cracker" is someone who defeats copy-protection. Originally that applied to cracking floppies, but now it also applies to CDs, DVDs and downloaded media like MP3/AAC files.

So in other words the article used the proper terminology for somebody hacking to secure websites - hackers.

Re:Sigh... (1)

Annwvyn (1611587) | more than 5 years ago | (#29167355)

There are several definitions of hacker. The original definition of the word is not someone who does what you mention, not even close. The definition that you give is the 'modern mainstream culture' definition, but I view most mainstream culture as retarded and ignorant (because of articles that mention hackers in a negative light, which you apparently have also been brainwashed by). Do a wikipedia on hacker, see what else is out there. Most people that call themselves 'hackers' in the computer-savvy world that I know are people that are more curious than anything else and just want to 'solve the puzzle,' usually by tweaking their own software and hardware. If you also want to, go look up a programming job site that sells jobs and I bet you will see the word hacker used just as much as programmer--no, it is not to 'hack' into your friend's computer to plant an idiotic virus that makes naked ladies pop up on his screen.

Re:Sigh... (1)

commodore64_love (1445365) | more than 5 years ago | (#29167463)

I've been using computers since the early 80s, and hacking very specifically meant someone doing things that the "authorities" would consider crimes - like phreaking to get free phone calls. Or wardialing to find computers to break into. Or just guessing people's passwords on BBSes so you can raise havoc. And of course cracking software so it could be copied freely amongst friends (aka piracy).

Adjusting settings hardly qualifies you as a "hacker" - that's just your average, ordinary computer "user" and nothing special. Anyone can adjust settings if they just put in the time.

Re:Sigh... (1)

rduke15 (721841) | more than 5 years ago | (#29167677)

Re:Sigh... (1)

rduke15 (721841) | more than 5 years ago | (#29167561)

Google says [google.com] it's "someone who plays golf poorly".

Not a problem (0)

Anonymous Coward | more than 5 years ago | (#29166495)

RSA SecurID can be configured to only allow a tokencode to be used for authentication once. If configured in this way, the above keylogger still wouldn't let someone log in remotely after the legitimate user had used the tokencode.

Not too much of an issue, really.

Re:Not a problem (1)

Mascot (120795) | more than 5 years ago | (#29166549)

I think the assumption would have to be made that the trojan prevents the token from actually being transmitted to the bank, thus giving the thief its one login.

As I mention in my other post though, I still don't see it as an issue, since every actual transaction would require a freshly generated token (assuming a sane bank).

Re:Not a problem (1)

QuantumG (50515) | more than 5 years ago | (#29166715)

Except that the attacker can just return a "no, that's invalid, try logging in again" and the user will happily give them a second token which they can now use to do the transfer.

Re:Not a problem (1)

Mascot (120795) | more than 5 years ago | (#29166767)

The calculator won't give you a new token for another 30-60 seconds (depending on configuration).

Of course, one could argue that people that won't notice anything odd with a forged site, also won't mind the usually instant "eeer, wrong!" taking a whole minute. But nothing will save the idiot from the persistent phisher, so at some point the line between security and convenience needs to be drawn.

Re:Not a problem (1)

QuantumG (50515) | more than 5 years ago | (#29167163)

Umm.. it's a banking website.. I dunno about your bank, but my bank takes 30+ seconds to log me in on a good day.

Oh, and blaming the user for a failure of technology is classic geek arrogance. The simple fact is, these token devices a part of the arms race and if you want to keep ahead, you've got to keep innovating. For example, most users don't even *need* wire transfer capabilities so they should be disabled by default, when they ask for it to be enabled the bank gets the opportunity to educate users that the second generator built into the device is for authorizing wire transfers only.

Re:Not a problem (1)

fwr (69372) | more than 5 years ago | (#29166577)

You're not thinking out of the box. Sure SecurID is a one-time password system, but that doesn't mean it still can't be exploited. If the keylogger is sophisticated enough to be able to pick out the username, pin, and tokencode, it is sophisticated enough to send the real tokencode to the hacker, in real time, while fudging it up for the user. Passwords are usually masked anyway, so the user would never know that the keylogger changed the tokencode. The hacker logs in, and the user tries again, possibly waiting for the next tokencode.

Re:Not a problem (1)

John Hasler (414242) | more than 5 years ago | (#29166691)

The cracker logs in. The guy who wrote the trojan may qualify as a (evil) hacker but the one using it is a mere cracker.

I'm not feeling the menace (1)

Mascot (120795) | more than 5 years ago | (#29166513)

The technique menaces the 2-factor authentication that some banks have instituted:

Sure, they could intercept my login, but that would get them nothing. A new token is required for each and every transaction once logged in. I suppose they could try to add an emulation layer of sorts for the entire bank site, but that starts to become a lot of work with a lot of opportunity to notice something strange going on.

And? (1)

ledow (319597) | more than 5 years ago | (#29166521)

Does it really matter? If they have access to your PC, why on Earth is this an issue anyway? Two-factor authentication or not, they have *ACCESS* to your Visa numbers, Amazon account, bank details (if you pay some bills online by direct transfer etc.). What the things *do* once they are on your machine is irrelevant. How they got there and finding them is infinitely more important.

2-factor (0)

Anonymous Coward | more than 5 years ago | (#29166529)

This doesn't break RSA's 2-factor at all, as long as they have it setup to accept each temporary password only once.

I just got nailed by a logger (1, Funny)

Anonymous Coward | more than 5 years ago | (#29166601)

I'm careful but I just noticed a lag in my e-mail typing so I'm assuming I got nailed by a logger. I switched off that machine and don't use it for the internet but I am having trouble getting rid of it. I've been having a lot of trouble getting rid of things since I switched to Vista. What's the best software these days? I had all my security up and I hadn't been downloading even commercial software so I haven't a clue where it came from. I do a lot of on-line banking so I'm not about to use that machine again but I'd love to get rid of it since I do have a lot of web sites saved off on that one. All I can think was I got it from clicking on a web link to a story. I do surf a lot of news.

Re:I just got nailed by a logger (1)

michaelhood (667393) | more than 5 years ago | (#29167049)

If you were naive enough to get a trojan to begin with, almost certainly the best "software" (OS?) for you is going to be not going online at all.

Re:I just got nailed by a logger (1)

Sir_Lewk (967686) | more than 5 years ago | (#29167503)

I switched to Vista

And you say you are having lag issues. How curious...

Time for a secured endpoint like IBM's ZTIC? (2, Interesting)

mlts (1038732) | more than 5 years ago | (#29166639)

I wonder if the next step will be a dedicated hardware device such as IBM's ZTIC, where one does their transaction confirming on a closed secure device. This way, even though the consumer's PC may be compromised, an attacker trying to run transactions would be stopped when there is no device confirming the transaction.

Of course, there are always issues like spamming the user with bogus transactions, or compromise the hardware device. However, it is a lot harder to compromise a hardware device than a generic PC which has to parse/execute/render untrusted code from the Internet on a common basis.

Exactly right. (2, Insightful)

brunes69 (86786) | more than 5 years ago | (#29167077)

How many of these stories do we have to see before people wake up and realize that the login and security method is irrelevant if the OS itself is compromised?

Run a Virtual Machine (1)

popo (107611) | more than 5 years ago | (#29166669)

And browse / log in using the VM. Done.

Doesn't work (1)

FranTaylor (164577) | more than 5 years ago | (#29166795)

VMs can break into their host machine.

Read the paper presented at the recent BlackHat Conference.

Re:Run a Virtual Machine (1)

Eudial (590661) | more than 5 years ago | (#29166921)

What's changed in that? If a Trojan can get into your host machine, it can get into your emulated machine (since it obviously has Internet connectivity), and vice versa. Doesn't really matter if it catches real or emulated key presses.

please oh please delete my account (-1, Offtopic)

NoGoodNamesLeft98213 (1609617) | more than 5 years ago | (#29166693)

why won't slashdot delete my account upon request?

Too late (1)

dandart (1274360) | more than 5 years ago | (#29166729)

This message means your browser has been exploited with a known hole causing black hat crackers to receive what you type!

Yo dawg (0)

dandart (1274360) | more than 5 years ago | (#29166743)

I herd u liek browser. Tis MINE NAO! Im in ur b0x0rz stealin ur keystrokes! All your cardz are belong to us!

RSA SecurID (0)

Anonymous Coward | more than 5 years ago | (#29166747)

From TFS:

"Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula."

The RSA SecurID tokens generate a unique code that is only valid for ONE logon transaction. As soon as it's used, it becomes invalid, no matter if it's still within the one-minute window of validity or not, so you can't log on twice with the same code. The only chance the real-time hackers would have is to grab the code and log in in the few moments between when the user finishes typing in the passcode and them pressing enter.

Anonymoys Coward (0)

Anonymous Coward | more than 5 years ago | (#29166777)

Real time key logger, that reports back visited web sites? Isn't that how Google Chrome address bar works?

For once I'm glad... (1)

Iphtashu Fitz (263795) | more than 5 years ago | (#29166841)

... that I'm still a Bank of America customer. I've grown to like their 2-factor authentication mechanism. You can set up your account so that whenever you try to log in they send a random 6-digit number to you via a text message to your phone. You then enter that number into the website as you're logging in. Since it's truly a one-time-use number sent out of band from the way you're logging in it's about as secure as you can get.

Re:For once I'm glad... (1)

caluml (551744) | more than 5 years ago | (#29167131)

I remember suggesting this years ago, and the responses I got at the time were "but I/my mother/granddad/aging relative doesn't have a mobile phone", or "I don't want to have to carry around my mobile to use my online banking" - all very strange retorts. Glad to see a bank using its noddle.

I type with my brain (0)

Anonymous Coward | more than 5 years ago | (#29166927)

Who uses a keyboard anyway ?

News? (0)

Anonymous Coward | more than 5 years ago | (#29166999)

Wait, aren't ALL keyloggers real time?

The problem is service provider sloppyness (5, Interesting)

Animats (122034) | more than 5 years ago | (#29167043)

Bank of America used to have a good system for authenticating their site. At login, you input your ID, and the B of A site gave you back a photo of your own choosing to tell you that you were on the real Bank of America site. Only then did you input your password.

Last Friday, B of A broke this feature. I'm now getting a password prompt without seeing the photo I'd chosen. My first thought was that there's was a security problem. I checked the SSL cert info, which looked OK. I reinstalled Firefox. No change. I called Bank of America. They wanted me to remove Flash, which I did. No change. They advised me not to log in. Then they passed me off to tech support, which hasn't called back yet.

Then I took out a Linux-based Eee PC 2G Surf that had been unused for months, powered it up, plugged in an Ethernet cable, and saw the site doing exactly the same thing. So it's probably not a client side problem.

What I think happened is that someone at B of A did a partial site redesign and broke something. They introduced some Flash (something called "/sas/sas-docs/html/pmfso.swf") on the password page (a terrible idea, given Flash's history of security vulnerabilities) and along with that, broke some part of the login process.

If, in fact, they've had a break in on the server side, the main login of Bank of America has been compromised for at least three days now. I'm not seeing any indication of that, though; just general ineptitude.

(The page HTML is awful. It's clearly been modified over and over for years without a cleanup. It has Flash, Javascript, CSS, single-pixel GIFs for formatting, and comments like "July maintenance OLB timeout inactivity update starts". The "enter password" page has 966 lines of HTML and JavaScript, not including external files. That's too much flaky machinery for such a security-critical function.)

Re:The problem is service provider sloppyness (1)

langelgjm (860756) | more than 5 years ago | (#29167353)

FYI, I just looked at the BoA site and I don't see the problem you describe. Maybe it's a regional thing? Also, ING has a similar picture based system.

Re:The problem is service provider sloppyness (1)

noidentity (188756) | more than 5 years ago | (#29168231)

Bank of America used to have a good system for authenticating their site. At login, you input your ID, and the B of A site gave you back a photo of your own choosing to tell you that you were on the real Bank of America site. Only then did you input your password.

My credit union used this for a while, but stopped recently (or maybe not! *eerie music*). I don't see how it helps me verify that I'm really connecting to their site, though, since a middleman site can just as easily act as a proxy to the real site, relaying my account number to it and relaying the verification image back to its fake page, making me think it's the real page. Then when I enter my password, I'm screwed.

Real time security (0, Troll)

HomelessInLaJolla (1026842) | more than 5 years ago | (#29167069)

New slashdot poll suggestion:

Real-time keyloggers were first discovered in the wild last year

The above statement is:
1. True
2. Not true
3. Funny
4. Absurd
5. F*ckin' hilarious

Nobody really wants to face uncomfortable facts so we write stories blaming it all on some hackers in some other part of the world. A good hacker is the fellow who says,"I see how that could be done but I, myself, have no interest in figuring out how to do it because I have more important things to work on and I wouldn't do something like that." An evil hacker is the guy who says,"I see how that could be done and I am going to devote time and effort to figuring out how to do it for my own fun and profit." Face reality. Both of those guys have been around for over a generation now and they are not going away. Those guys, both the good guy and the bad guy, are employed by governments (including ours), employers (including yours), and ISPs (everyones).

Do not allow yourself any illusion about computer security. Computers in today's world are blocks of swiss cheese. You may not know the exploits, nobody in your immediate circle of friends knows the exploits, but they are there and have been there for at least thirty years. That is thirty years' worth of evil hackers who have created systems of exploiting the unknowing userbase. How large does any useful or profitable business segment become after thirty years? Would the government have an interest in keyloggers--they have telephone filtering, so why not? Would your employer have an interest in keyloggers? Would your college or university have an interest in keyloggers? If only for your own sanity you should start allowing yourself at least a tiny morsel of honesty.

I do not know how to properly convey this to the general population (or the mods) but sticking your head in the sand is not going to improve the situation.

Is there a solution? Yes, but you will not like it.

A good portion of the solution begins with buying a good dinner for me and ensuring that I have a place to sleep at night more comfortable than concrete in the open breeze.

Second data channel needed (0)

Anonymous Coward | more than 5 years ago | (#29167083)

As long as everything needed for a successful bank transaction is done through one line (e.g. your Internet connection at home) and a malicious hacker is able to control your endpoint of that connection, he will be able to attack any transaction, no matter how complex the security is (all secure communication schemes are based on the assumption that the endpoints are secure)

A good solution is to require communication over a second channel, e.g. telephone calls or SMS for confirmation of transactions (bank sends SMS with transaction data, client sends SMS with "authorize"). This is done by some banks already.

yeah but (1)

scarboni888 (1122993) | more than 5 years ago | (#29167145)

will it run on Linux?

Utter Bullshit (0)

Anonymous Coward | more than 5 years ago | (#29167239)

Realtime keyloggers have been around since botnes have been and then some. Utter Bullshit.

You know you're being real-time keylogged when... (2, Insightful)

philibob (132105) | more than 5 years ago | (#29167281)

...Your router's activity light blinks every time you press a key on the keyboard.

I assume it's trivial to detect this type of keylogging.

Re:You know you're being real-time keylogged when. (1)

mysidia (191772) | more than 5 years ago | (#29167539)

Escaping that sort of detection is easy by not transmitting each individual keystroke in real-time. Maybe once every 4 or 5 keystrokes, or when you click, press enter, submit, space bar, or do something else that indicates a "text break".

In addition, they can attenuate this by sending a constant low-bitrate stream of data when you aren't typing anything, so your router's activity lights are always blinking.

E.g., they might transmit a 56-byte packet every 2 to 3 seconds, say something innoculous like a port 80 ping to windows update servers (or your distro's update servers for Linux users).

Needless to say, all the keystroke log transmissions would be encrypted and random fuzziness generated to make it hard for adversaries and network-based IDS to identify generated packets as keylogger traffic.

2-factor, 2-path authentication, source auth. (1)

davidwr (791652) | more than 5 years ago | (#29167293)

Assuming your phone isn't being compromised, the bank could just call you on your telephone-number-of-record. Of course, you'd need to make sure the bad guys couldn't change that number.

Also, banks should be on the lookout for things like "he used his ATM card at home yesterday, he's in Eastern Europe today" and react accordingly.

These won't stop all such attacks, but they will help.

Another technique is to require inter-bank transactions over a certain amount to be held until they can be affirmed "in person," such as by the customer going into any cooperating bank, ATM, grocery store, etc. and smiling for the camera as he affirms the transaction.

Attack-the-consumer bank fraud cannot be completely stopped but by making it not worth the effort, criminals will try other ways of getting rich, perhaps even honest ones.

Re:2-factor, 2-path authentication, source auth. (1)

mysidia (191772) | more than 5 years ago | (#29167601)

Assuming your phone isn't being compromised, the bank could just call you on your telephone-number-of-record.

Isn't phone compromise just as plausible as computer compromise?

If you are a VoIP user, the hacker may use control of your computer to inspect packets to your VoIP handset, and intercept certain phone calls (specifically: ones from your bank).

There's also a (hopefully faint) possibility that a determined attacker who somehow got your personal identity details could signup for an account with an online VoIP provider like vonage (using a CC number stolen from you), get your number moved or ("ported") to their system, so the attacker now controls your phone number, get your phone company to assign you a new number, and perform a man-in-the-middle attack against your home phone.

Naturally, this just depends on how much of your information the criminal has stolen, before they can effectively impersonate you and get resources of yours temporarily under their control.

Put everything in Greasemonkey scripts (1)

rduke15 (721841) | more than 5 years ago | (#29167457)

When the first part of the authentication is done by a Greasemonkey script, keyloggers don't see that. Or do they?

This may sound like a joke, but in fact I do have one part of the authentication scripted in Greasemonkey. That gets me directly to the next step with some sort of challenge-response system involving a calculator-like gadget with my bank card inserted in it.

Of course, if your bank requires nothing else than an account number and a password which you have in a GM script, I would be glad to borrow your computer...

The systems I know are the ones of the swiss post (pdf) [postfinance.ch] and of UBS (pdf) [ubs.com] . I do wonder if these can be attacked by such instant keloggers.

Why? (1)

KneelBeforeZod (1527235) | more than 5 years ago | (#29167459)

Why is there a "GoogleWave" tag? I don't get it.

Banks do not widely use 2-factor authentication (2, Informative)

mysidia (191772) | more than 5 years ago | (#29167465)

They use wish-it-was two-factor [thedailywtf.com]

Two-factor authentication is when authentication requires two different factors of authentication. Some possible factors of authentication are something you know (PIN numbers, passwords, usernames, secret answers to questions arranged in advanced), something you have (smart card, key fob, pass-card, a special piece of hardware, a SSL certificate loaded on a device that you can't read), something you are (biometric identification, facial, voice, fingerprint recognition, hardware that reads your GPS position to verify you are at home, a phone number that checks your ANI caller ID information)

Most banks only require something you know. The security question/answer dialogs that are commonly used are equivalent to a second password, granted: a second password that is likely to be a lot less secure.

Issues like the 'temporary passwords' on your key fobs being discovered when you use them can be defeated, by only allowing the password to be used once. If an attempt to use the temporary password is used again, or an attempt is made to use any incorrect temporary password, then all active sessions should be logged out.

In addition both sessions should be warned about the attempt, and that their computer station may be compromised, they should update their antivirus and antispyware scanners, disconnect from the internet, and perform a full scan.

I have to ask (0)

Anonymous Coward | more than 5 years ago | (#29167527)

Do these real-time keyloggers affect Linux?

My wife is really comfortable with her WinXP software and I'll never get her to change to Linux (I've tried, but it's hopeless). Still, I have given her a Linux laptop for doing her on-line banking and she does not use the WinXP machine for any financial transactions. I was thinking that I only had to deal with Firefox exploits that way

Nothing New (0)

Anonymous Coward | more than 5 years ago | (#29167881)

Me and my friends have been using this in the USA since uhm... ever. It's pretty easy.

sock.send(keypressed);

Or something to the effect of that.
On the other end:

sock.recv(keypressed);
cout keypressed;

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?