Slashdot Mirror

← Back to Stories (view on slashdot.org)

Transec, a Secure Authentication Tag Library

Posted by ryuzaki0 on from the no-keystrokes-to-capture dept.

Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

5 of 125 comments (clear)

  1. Doesn't ING direct already do something like this? by antifoidulus · · Score: 2, Informative

    When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

    --
    Monstar L
  2. Right, they do that already by ewn · · Score: 2, Informative

    They also don't ask you to enter the whole PIN, but only a few randomly selected digits ("Please enter the 3rd and 5th digit of your PIN"), so an attacker who grabs the screen only once still doesn't have enough information. I think that's pretty smart.

  3. Yes, such a threat exists by Opportunist · · Score: 4, Informative

    Without breaking NDAs I can verify that such malware exists, in the wild. So far this functionality (taking screenshots) has not been used widely, but the necessary functions are there, screenshots are taken, it's just not been necessary to use them.

    Picture shots would certainly increase security and raise the bar for malware writers. Current BHOs are able to manipulate the data stream on the fly, so you can never be sure what you send to your bank, and whether the data your bank sends to you is actually also displayed. With a picture, this becomes harder to manipulate.

    Harder. Not impossible. Many malware BHO families are already prepared for this kind of defense and are working on a way around it (or already found a way around it). Any claim to make malware impossible is a lot of smoke screen and even more snake oil. The best defense against such attacks are still:

    1. Using non-mainstreamy software. Malware is a business, target is the mass market. So the further you're from the "masses", the higher the chance that the malware can't strike you. Using Firefox instead of the omnipresent IE is a good step. Defeats a good deal of malware. Taking a step further and using a Mac or Linux almost eliminates the threat. That doesn't mean MacOS or Linux are more secure (I'll spare you and me the discussion), that simply means that their market share is smaller and thus it is less interesting for malware writers.

    2. Using a brain when connecting to the 'net. Clicking everything and using mainstream apps is a surefire way to catch some kind of infection. Even with current anti-malware tools installed. No antivirus is able to catch everything (and they usually are at least one day behind the malware writers). No security tool is able to intercept all invasion attempts (Windows simply offers way too many entry points). Software is no replacement for brains and common sense.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Itaú in Brazil has something similar but bett by Anonymous Coward · · Score: 1, Informative

    Their scheme it like this: when they ask you for your PIN, they give you a keyboard which has buttons like [1 or 4], [3 or 5], [2 or 8], so there are five buttons. You can input your password even with someone looking over your shoulder and they won't know what your password is, because the buttons are ambiguous and the numbers are grouped randomly. They would have to be able to watch you a few times until they can be sure of your password. This reduces the search space for a brute force attack, but as the account is locked up after three incorrect tries, it doesn't really matter.

    Not that it helps much anyway. A man in the middle attack will defeat this easily, where the bad guy will just proxy whatever challenge he gets from the bank and get access to his account. We need to make users less stupid - good luck fixing that!

  5. Not secure by dk.r*nger · · Score: 1, Informative

    The image is a map, when you click it, coordinates are POSTed to the server, that replies with a new image.
    Grab the coordinates and the image, and you can stich together the password with close to no effort.