Defeating Virtual Keyboards and Phishing Banks

An anonymous reader writes "Noam Rathaus writes on the SecuriTeam Blogs how most Image Click-Me virtual keyboards schemes used by banks to fight phishing trojan horses can be easily broken, even (and especially) when encryption is used. He then discusses how screenshots of the pointer location are over-kill, and describes how to kick these security measures out of the way." From the article: "Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered"

dumb

[Lehk228]

the whole idea is dum, you are trying to make a compromised host somehow "Safe" by obscuring what is going on. if they wanted to be really safe they would use a trusted device and allow the computer to simply be one more untrust part of the cloud between that device and the bank. a USB "smart card" could do the trick just fine. for added security have a pin pad on the smart card itself.

Re:dumb

[arivanov]

Ahem. Exactly.

Client side x509 certificates (if possible on smartcards or tokens) will solve 99% of phising problems once and for all. For most "secure" sites, the clients authenticate the server (which can often be circumvented by using DNS tricks). At the same time there is no SSL level client authentication. As a result stolen credentials can be reused on another system. A smartcard holding the x509 cert prevents this outright.

Unfortunately instead of using what is right there in front of them in the actual protocol spec the banks go into all kinds of technological roccocco. Not surprising actually. I tried to explain the concept of client side certificate to one of my collegues who had in the past implemented the internet banking system (and its security) for one well known UK bank and is now to implement another one. No matter how hard I tried, he could not grasp the concept.

Re:dumb

[mochan_s]

Phone trojans are extremely rare

Doesn't mean they always will be.

Re:dumb

[ArsenneLupin]

for added security have a pin pad on the smart card itself.Actually, that's not added security, but essential security. If the PIN was entered on the computer, and then sent to the smartcard for encryption, then a Trojan could still get it on that first leg of communication, before it was encrypted.

For real security, not only would the PIN need to be entered on the card itself, but essential transaction data (amount, target account) would need to be displayed by the card as well (using a pocket-calculator like LCD display, for instance). Indeed, without such display, a smarter Trojan might highjack a legitimate transaction, and transform the data into something else (change your monthly rent payment into a huge transfer to scammer's account...), and the user would be none the wiser.

But, of course, a more sensible approach is to keep the host system secure. Why are some banks still forcing their customers to use Windows and Internet Explorer when these are known to have security issues?

Re:dumb

[jrumney]

Actually, that's not added security, but essential security. If the PIN was entered on the computer, and then sent to the smartcard for encryption, then a Trojan could still get it on that first leg of communication, before it was encrypted.

The way these things usually work, the PIN entered at the keyboard is not the PIN for the bank, but the PIN to decrypt the certificate on the smartcard. So knowing the PIN is only useful to the identity theives if it can get physical access to your smartcard.

Re:dumb

[ArsenneLupin]

The way these things usually work, the PIN entered at the keyboard is not the PIN for the bank, but the PIN to decrypt the certificate on the smartcard. So knowing the PIN is only useful to the identity theives if it can get physical access to your smartcard.
Correct. However, once the Trojan Program has the Pin, it will be able to reuse that to submit fake transactions if the user is careless enough to leave the card in the reader...

Re:dumb

[theCoder]

If you use a smartcard, the crypto happens on the card itself. The private key never leaves the card. Simply speaking, a request is made to the card to sign something, and it gives back the signature. This means that no one listening on the computer can duplicate the authentication (assuming there is nothing else wrong with the protocol, such as replay attacks, any sort of man in the middle, etc).

In essence, the smartcard idea is assuming that your machine could be compromised, and is moving the authentication to another machine (the smartcard) which is much harder to compromise.

Re:dumb

[swillden]

I've been in the business of designing, implementing and selling smart card-based security solutions for nearly a decade now, and I've talked to lots of banks about these issues. Most of them understand perfectly well that smart cards with client-side digital certificates are an excellent (though not perfect, see below) solution from a security standpoint. The reasons they aren't gung ho about deploying such a solution are (1) cost and (2) consumer acceptance.

Smart cards themselves aren't expensive, and neither are smart card readers. The cost of retooling the card issuance process to support smart cards, however, is non-trivial, and the cost of deploying card readers to consumers and supporting them through the installation and usage process is very large. The biggest problem, though, is cardholder training. How do you teach millions of people how to use the thing, even if it's already set up on their machine? Simple problems like how to insert the card into the reader are surprisingly hard to address on a large scale.

The UK, and a few other countries, are much more prepared for this than the US thanks to the Chip & PIN initiative that their banks have spent tens of millions on. At least UK citizens know to put the card in chip-end first, with the chip up.

In any case, though, it's the cost and difficulty of getting consumers to deploy additional hardware on their computers that holds banks back from doing it, not lack of understanding. All of their weird security solutions are attempts to perform semi-secure transactions on the PC hardware that the cardholders already have, with no new software or hardware to install or maintain. Note that the costs and difficulties I'm talking about aren't theoretical. Various banks in different parts of the world have run pilots using these technologies, and they've invariably fallen flat. IMO that's because the pilots were poorly run, but having seen the failures, banks are very leery of trying anything else.

The new buzzword that's sweeping the financial industry these days is Near-Field Communications (NFC). NFC is basically a contactless smart card chip embedded in your cellphone. The chip can securely store and use keys, and the interface with the phone provides it with a display, keypad and Internet connection so the chip can phone home to the issuing bank as needed (for velocity checking, balance checking, etc.). Assuming the phone can be protected from viruses, trojans, etc., and can be considered a relatively secure device, this has all sorts of advantages. It can be used in a retail environment with a contactless smart card reader, using the phone's display and keypad to give the user a chance to verify the transaction details (the amount, mainly) on a device the user trusts. For on-line usage, you can connect the phone to the PC via USB, or via a contactless smart card reader for secure and easy transaction, but it's more likely that you'd use the phone's data link for the financial transaction. Imagine going to amazon, picking out your goods, hitting the "buy now" button and then waiting a few seconds for a message to arrive to your phone, requesting payment authorization. You'd review the transaction details on your phone screen, authorize payment with the keypad, and the smart card chip would then create a cryptographically-secure payment authorization message and deliver it to either the bank or the merchant (depending on how the system was structured).

What's actually going to happen? After failing repeatedly over the years in my prognostications, I won't even guess. I will say, though, that banks are big fans of "good enough", and that their definition of "good enough" doesn't require that fraud be impossible, only that it be sufficiently limited that it's affordable.

Re:dumb

[swillden]

But basically you are correct, if the cell is encoding everything correctly the connection could be trusted, the only problem is that cell networks are known for hiding behind obscurity for security, witch is not very safe after all.

Doesn't matter. You wouldn't rely on the cell networks for any of the security, you'd just use the network as a transport. The Internet is also completely insecure, but we easily create secure communications channels over it. The security of the network is irrelevant. It's the security of the endpoints that matter.

Re:dumb

[arivanov]

Yes it does, provided that the system is correctly designed and implemented. In fact it is nearly bulletproof against a MIM.

The MIM will need to have both a valid server certificate to authenticate to the client a valid client certificate to authenticate to the server. If the server correlates certificates with another credentials like a username and password (2+ factor authentication) it can immediately detect that a stolen identity is being used with the wrong smartcard.

Secure banking? Yeah right.

[thedarknite]

For institutions that are responsible for vast quantities of peoples money, some of the security policies they implement are really quite strange. For example, the bank I use, even before they brought in the annoying virtual keyboard, had a six character alpha-numeric limit on there passwords. Very bizarre considering that you enter in your customer id which is a ten character string.

Although, on the plus side it has made me extra paranoid about all online transactions. So now any site where I am involved in a finacial transaction has different passwords and anything that gets cached is cleared out of my system as soon as I am done.

Meanwhile, back in the old west...

[werewolf1031]

this already posses a security problem

Round 'em up, boys! We gonna lynch us some bank robbers!

Yeah, and?

[iamdrscience]

So the article is saying that people with trojans on their computers are fucked? Is anyone surprised by this? The point of virtual keyboards is not to defend against trojans, it's to defend against keyloggers. They may defend against trojans that try to steal your account information with a keylogger, but I think it's safe to say that no matter what security technology your bank is using, if you've got a trojan on your computer you're going to be fucked.

Re:Yeah, and?

[shigelojoe]

if you've got a trojan on your computer you're going to be fucked

I'll take "Things a computer has in common with a penis" for $1000, Alex.

Re:What if you obscure the pattern?

[iamdrscience]

I use ING direct and they do something sort of like that, they have a picture of a numeric pin-pad that comes up and each key has a (random) letter on it. You enter your pin by typing the letter associated with each number. Unfortunately, you can also enter your pin by clicking the numbers (well, unfortunate for security, but fortunate for user convenience).

No Surprise

[daeg]

This is no surprise at all. Keyloggers will be a thing of the past soon enough for the major hackers.

More scary is the fact that adding a simple network device will allow a virus to log all Internet traffic. Look at HTTPLook (a small app used to sniff HTTP traffic). It comes with a small HTTPS module that intercepts HTTP traffic transmitted via HTTPS.

Using such a device will also help cut down on the amount of data hackers can get -- HTTP traffic is useless to them. Why do they care you went to Google and searched for "hot gay wrestlers"? They don't. HTTPS, on the other hand, will set off alarm bells -- if a server is worried enough about security that it pays for certificates, the data must be worth something, right?

The solution is that logging into secure systems needs to require a physical presence. An older system I maintained a few years ago for the Mortgage industry used a username, password, and a key from a small business card in their wallet. Each month users received a new card, and each card had about 50 numbers on it. The system knew which numbers each user had and only allowed each number to be used once. Logging in with a wrong number would flag your account, repeated attempts would lock it. Yes, it increased support load when someone lost their card (the cards were unmarked so if someone found it, the numbers are useless), but it was fairly secure and generally a lower cost alternative to biometrics (and much more portable).

This combines the "something you know" authentication scheme (username, password) and the "something you have" scheme (password card). The third type is "something you are" -- biometrics.

(Failure point: person gets kidnapped. If a user gets kidnapped, security is the least of the worries until they are recovered. Failure point: if the database with the numbers is compromised, the system is no longer secure. If the database is compromised, they no longer need to log in, and no secret numbers will stop them.)

Cut them off at the pass

[SEWilco]

posses a security problem

It depends upon your posse whether one or several of them are a problem.

Is it just me? Am I missing something?

[zappepcs]

If your pc is infected with a trojan, or other malicious software, its feasible to capture the screen with each keystroke while connecting to a bank website and forward that data to a server somewhere at a later time... key logging doesn't have to be only key logging, it could be logging keystrokes and relevant screen data at the same time.

The ONLY way to outsmart software that wants your data is to not load that software on your machine. I find that I feel much safer booting a life CD (DSL or Puppy or pick your flavor) and running to the banking website with a freshly installed OS... no chances for virii or malware etc.

That is certainly easier than actually going to the bank... and I know that its safe.

It at least makes me feel a bit safer.

Re:Is it just me? Am I missing something?

[iamacat]

How do you know you are not booting your life CD into a virtualizer run by your hacked EFI firmware?

Re:Virtual Keyboards are pointless

[iamdrscience]

Virtual keyboards are designed to protect against keyloggers, not phishers, and they do a pretty good job. No one technology protects all fronts of attack -- saying virtual keyboards are useless because users can still be phished is like saying that encrypting data between you and a bank is useless because it doesn't protect you from somebody looking over your shoulder.

My Phone is a Weapon

[Doc+Ruby]

I'd rather use an ATM by touching my mobile "phone" to it to pair it with my Bluetooth (and exchange keys), then use the phone to control my session. I'd prefer my phone client to generate onetime passwords consumed by the ATM to giving anyone my PIN.

With that protocol, I'd feel safe even using those random ATMs at delis and various "impulse purchases", where today they get my PIN and can launch a replay attack any time they want.

Re:What if you obscure the pattern?

[fatcop]

I use ING Direct and noticed that recently. Its pretty much exactly as the first parent described. Though I don't see anything about keyboard typing being allowed. Its pure mouse clicks only for me.

This is what I gather from using it and glancing at the page info and scripts:

The keypad numbers (are images) and are randomised (threw me first time, but no probs since) every login session.

Every time you login each number corresponds to a different image URL on the server. The URL's format is like http://mybank.ohyeah/?object=A2D04F..... (mega hash number). Every different login session the image URL's for the same number different. So it appears those generated image URL's only exist for the duration of the login sequence. So only the server knows the mapping of what it sent to your real PIN. So that coupled with encrypting the out of order PIN numbers makes it even harder to crack.

I guess it doesn't really offer any more protection against a trojan taking screenshots every mouse click. I mean you're kind boned if you got that kinda trojan on your PC anyway. Its virtually like someone video taping you :) You have to have something some degree of faith in your virus/trojan protection on your PC. If you use an internet cafe you are at their mercy a bit.

It certainly seems to offer some further protection against basic data sniffing, since only the server knows the order of the PIN.

But as for "hiding the image from any kind of snooping software", if the session number image data was sniffed and mouse click positions then that's as good as a screen capture.

Re:What if you obscure the pattern?

[uhlume]

Grid Data Security's GridOne uses a very similar approach: they present an on-screen alphanumeric entry grid, with each character surrounded by four randomly-generated numbers, one in each corner of the cell. Users enter their password by typing the corresponding number for each character of the password, from a pre-selected corner of the cell (upper left, lower right, etc). Since the numbers are randomly generated with each display of the entry grid, and any numeral may appear in multiple places on a given random grid, this effectively defeats both keyloggers and screengrabbers: even if you can see both the entry grid and the entered keystrokes, deriving the user's password from that information is non-trivial.

http://griddatasecurity.com/Approach.htm

(Of course, this isn't much use against the hypothetical of a carefully-engineered realtime man-in-the-middle attack, but I suspect very little would be.)

Never develop your own crypto protocols

[Beryllium+Sphere(tm)]

Unless you're an expert crypto protocol developer and you're not going to deploy it to the field until it's had several years of peer review.

That business with the timestamp? Offhand I'd say the bank was trying to do the right thing by preventing replay attacks. But using a timestamp? I'm having trouble keeping up with just the obvious attacks against that, let alone the attacks that a seasoned crypto developer would find.

If you ever need to do what the bank tried to do, find something already written and battle tested, make sure its assumptions and security properties line up with what you need(*), and use that instead of repeating the last fifty years of protocol design mistakes.

(*) Then you'll find that they assume trusted endpoints, which is something worth reflecting on.

Keyring Dongle

[bonhomme_de_neige]

HSBC in Australia and SE Asia (and, it seems, with a bit of Googling, elsewhere in the world) issue with online banking accounts a device that sits on your keyring that generates a 6 digit number when the button on it is pressed, and displays that on a small screen. The number is different every time.

When you log in or do any transaction, you are required to enter this number (along with any other credentials which are appropriate). The bank records the serial number of the dongle they gave you, and I would assume that there is some secret mathematical algorithm that allows them, knowing the serial number and the time, to calculate what number your device will display.

If you make 3 mistakes in a row with the 6 digit code, your internet banking account is automatically locked down, and you have to contact them to unlock it.

Now, that's a very simple trick and I can't see how a hacker / phisher would get around it. Sure they can sniff the code when I log in, but 30 seconds later it will be useless. Short of mugging me for the device on my keys (after having phished my regular login/password), they can't get in to my account. Even if I leave a session logged in and walk away, and someone else sits down at the terminal, they can look at my balance and transaction history, but can't make any transactions.

Having used the device for a year I have to say it is remarkably convenient, and it seems immune to most of the attacks described here, and doesn't have the convenience drawbacks of one-time PIN cards. Why is HSBC still the only bank doing this?

More info on the device: http://om.hsbc.com.au/osd/

Re:Keyring Dongle

erm, how would this protect against realtime phishing?
e.g.
user enters username/pass/magic number to log in at fake bank website
fake bank website then uses that info to log in at real bank site and transfer $largesum to $evilguy
if your token only changes its code every 30 seconds that shouldnt be hard at all
btw, the same scam made a bit more elaborate would also work against one-time-use number pads (present user with fake 'enter transfer details and one-time-use number, use that number to do a different transfer, respond with error/success/whatever message)
the only way I see to make a secure system is to have a secure endpoint = hardware device that treats the client computer as just another hop in the unsafe internet cloud

Have a split PIN system

[caluml]

Have a split PIN system - half in your head, and a random second half texted to your phone, which is valid for 5 minutes after it is texted. Voila. And the bonus? Everyone owns one of these "what you have" devices (in the UK at least).

Solutions to stop phishing & trojans etc

[jonwil]

This solution would be OS and browser independant and would not be subject to any issues such as SMS's not getting through to a cellphone.

Basicly, each customer is given a device that looks a bit like a small calculator, make it "solar" powered (in reality those panels will work just fine powered by any sufficiantly bright light source) so it never looses juce.
It would have a 0-9 keypad and other buttons. Each device would contain a unique number that is also securely stored on the banks computers.

When you want to log in, the bank generates a random number and displays it along with a form field for username/user ID/whatever, a form field for password and one for a hash. The user types in the random number into their calculator thing which is then hashed with the number stored inside it and the result displayed. The hash algorithim has to be chosen such that there is no one number that when hashed with any unknown stored number can produce either the stored number or something that you can get back the stored number from. (this prevents the hacker from feeding a chosen "random" number to the user and getting the stored number that way).

Once you do that, the displayed hash along with username and password are typed into the form. The hash is compared with the same calculation done by the banks computer and if the username, password and hash match up, you are logged in.
When you want to do a transfer to someone not on your "approved payees" list or add someone to the "approved payees" list, you have to enter the account number and/or dollar amount and/or another random number into the calculator thing which spits out another hash that has to be typed in. This prevents the phisher /trojan/whatever from changing the details of the transaction ($ amount or destination account).

Unlike some other proposals (USB smart cards, mobile phones), it is 100% OS and browser independant and requires no drivers.

Re:Solutions to stop phishing & trojans etc

[m94mni]

I've had such a device, when I had an account in the Swedish bank Swedbank. Works pretty well, but much less convenient than the certificate-based solution I use now in Skandiabanken.

Banks and third-party Javascript

[timlewis_atlanta]

And this story breaks the evening after I notice that a large bank that I shall not name, but instead refer to "Bank of America", changes their SiteKey/Login page so that it now loads Javascript from a domain other than bankofamerica.com : "liveperson.net".

I only noticed this because my "NoScript" Firefox extension started showing the "Script partially allowed" message.

Now, I'm no expert, but I do know that Javascript has a bit of a spotty history when it comes to security. Having looked into liverperson.net it appears to be legit ; but in any case, I did not allow it access.

But my question is this : why on earth do BofA think it makes sense to link off-site during the login process ? Surely this is completely nuts ?