Real-Time Keyloggers

The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."

Thwarted by properly designed online banking

[upside]

Again, a proper banking system like my bank uses

- a one time pad for logging on
- another set of codes, from which one is picked randomly, to confirm transfers

The one time pad means they can't open a second session. Even if they could hijack the session I've opened they can't transfer money without my explicitly authorizing each transfer by entering the second code.

Re:Thwarted by properly designed online banking

[CrashandDie]

Disclaimer: I work for one of RSA's competitors in this domain.

The article focuses on RSA's SecurID, but one of the main drawbacks of RSA's SecurID is that it is only time based. Other companies also use event-counters, which means that you can't actually replay the attack.

The parent is right (and I should now, I deploy these solutions), most serious banks will use OTPs (One Time Passwords) for the initial log-on, but then require Challenge-Responses to sign the transactions (website provides a challenge, which can be a completely random number, or based on a number of variables: amount, target account, etc; this challenge is provided to the token (stupidly named "gadget" in the summary), and it spits out a response.) This can be verified by the server.

OTPs have always had this flaw, and this really isn't any news. I've heard of attacks were real-time keyloggers would interrupt the network connection (wifi, ethernet, whatever) on a software/OS level temporarily (I assume by refreshing the DHCP bumf) as to allow the attacker to use the OTP.

However, this can be easily thwarted.

Any good Authentication Server will provide the option to use seeded authentication, and even though this doesn't apply to OTPs (most OTP algorithms actually include clock counter (and event counter if it is implemented, not RSA's case) related information in the OTP, hence the whole OTP is required for authentication), it does apply to Memorable Data. For example, 2nd and 8th character of your secret passcode. Or for example, even better: multiply the 4th digit of your OTP with the 6th digit of your secret passcode. (OTP still required to be input completely). Yeah sure, given sufficient time, the attacker should be able to know what your passcode is, but heck, that's going to require quite some effort.

Wikipedia has a bit of a section about the MITM attacks vulnerabilities of OTPs (even though it is right in SecurID's article, it doesn't apply to them alone, but to the concept as a whole). The main issue, however, with RSA's implementation isn't necessarily the MITM attack, but quite simply, stealing the token. It doesn't have a PIN code, heck, it even just shows the code the whole time (last one I checked did this), and I could read the number right off my friend's keychain.

Also, let us not forget that a one-time attack (which again, shouldn't be much of an issue if banks have a good solution that requires CRs for each transaction) on an account really isn't a big deal. It's a One-Time Password. It's only valid once. After he's visited the account, and seen the balance, that's about as far as he's going to go.

Nothing to see here, please move along. If anything, this is just going to drive our business a bit.

Re:Thwarted by properly designed online banking

[Jah-Wren+Ryel]

For starters, I don't think they roll on success (how would the device know, by the way?).

The server enforces it. You can't authenticate multiple times with the same token. The server returns an "an already used" code if it was recently used. I know this because I've written software that uses RSA's secure-id toolkit.

But even if they would: the legitimate user would not be able to know the difference between a failure due to making a typo and a failure due to some hacker beating him to the line.

Again, see the point out about return values from the server-side. The application may choose to report this information directly to the user or simply flag it for the security team to investigate further. I prefer the later because false positives are going to be pretty rare unless the client software is broken in other ways.

Re:Thwarted by properly designed online banking

[CrashandDie]

That would depend on the version of the token, I guess. There is not just one universal version. Some have keypads, others don't.

Re:Biometrics

[vux984]

RSA was good while it lasted. It's still better than nothing. Looks like we may need to invest in biometric laptops for the crew. What a pain.

Reread what they are doing, biometric laptops won't help. They could capture the biometric data as easily as the keyboard data.

Re:Biometrics

First of all, RSA SecurID has nothing to do with the algorithm RSA (besides being created by the same people).

Second, biometrics won't help at all since they can simply transmit the biometric data back and have *permanent* access to whatever system uses it.

Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords. If the hacker tries to log in to the system using the same password the victim just did, he will be rejected since that password was already used. If he keeps trying to do this, they will probably detect the attack and remove the trojan (not to mention that a single event where the same password is used twice from two different locations is already suspicious enough). If he somehow manages to get the password and log in with it before the victim does (even though at this point the victim has already entered his password), the victim will not be able to log in and quickly detect the problem.

Banks do not widely use 2-factor authentication

[mysidia]

They use wish-it-was two-factor

Two-factor authentication is when authentication requires two different factors of authentication. Some possible factors of authentication are something you know (PIN numbers, passwords, usernames, secret answers to questions arranged in advanced), something you have (smart card, key fob, pass-card, a special piece of hardware, a SSL certificate loaded on a device that you can't read), something you are (biometric identification, facial, voice, fingerprint recognition, hardware that reads your GPS position to verify you are at home, a phone number that checks your ANI caller ID information)

Most banks only require something you know. The security question/answer dialogs that are commonly used are equivalent to a second password, granted: a second password that is likely to be a lot less secure.

Issues like the 'temporary passwords' on your key fobs being discovered when you use them can be defeated, by only allowing the password to be used once. If an attempt to use the temporary password is used again, or an attempt is made to use any incorrect temporary password, then all active sessions should be logged out.

In addition both sessions should be warned about the attempt, and that their computer station may be compromised, they should update their antivirus and antispyware scanners, disconnect from the internet, and perform a full scan.

Read Nixon's own words

[davidwr]

Richard Nixon, Statement on Signing the Emergency Highway Energy Conservation Act, January 2, 1974:
"I AM pleased to sign into law H.R. 11372, an act aimed principally at helping to reduce gasoline and diesel fuel consumption during the energy crisis."

I'm not saying you are wrong about the ads, I am saying the official reason for the change was to save energy. I am also saying that if some Wikipedia article is claiming otherwise, it needs to be reconciled with the two articles I mentioned above. Happy editing.