Slashdot Mirror

← Back to Stories (view on slashdot.org)

Real-Time Keyloggers

Posted by kdawson on from the taking-a-leaf-from-twitter dept.

The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."

9 of 205 comments (clear)

  1. Re:OTP !! by shird · · Score: 4, Insightful

    That doesn't stop them from blocking your login such that they are the only ones using the password/id. They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.

    --
    I.O.U One Sig.
  2. Execute them? No. Catch them. by John+Hasler · · Score: 4, Insightful

    No need to execute them. No need to punish them severely at all. We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence. Given the present one in 100 million risk of being caught an 18th century hanging would offer no significant deterrence.

    This applies to crime in general as well.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  3. Re:OTP !! by Jah-Wren+Ryel · · Score: 4, Insightful

    They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.

    If they are smart they can even provide a fake error page once they've acquired the credentials that tells the user that the site is "experiencing technical difficulties" and that they should please try again in 15 minutes. 99.99% of users won't think a thing of it.

    --
    When information is power, privacy is freedom.
  4. Re:Well I agree but by Eudial · · Score: 3, Insightful

    It's hard to motivate to your voters why you need to spend huge amounts of tax money chasing down cyber criminals that mostly operate abroad, thus not affecting your country in the slightest, when that money could go to catching criminals that do, or to education, health care, whatever.

    --
    GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
  5. Re:Execute them? No. Catch them. by schon · · Score: 3, Insightful

    We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence.

    Your post displays a lack of understanding of the criminal mind. Don't feel too bad though, because most people (especially lawmakers) have the same lack of understanding.

    The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught. Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.

  6. Re:Thwarted by properly designed online banking by CrashandDie · · Score: 3, Insightful

    A good solution (read as "implementation") would consist of a challenge that the user can verify corresponds to the transaction he wishes to do. Four first digits of the Challenge are the four last digits of the sum. Six last digits of the Challenge are the six first digits of the target bank account. Etc.

    Nobody can expect good security if the user doesn't watch out and double checks what's happening. The attack you're talking of could very well be done to a poor old lady paying her bills for the month in front of her bank manager. Just slip a bill she shouldn't pay: if neither she or the bank pay attention, the money will be stolen.

    Even though I work in this field, and I'd love to come up with a solution that fixes all the issues, I just don't believe it. There will always be monkeys reading through tons of transactions, trying to spot the one that doesn't belong, and you will always having your credit card company calling you when suddenly there's $5k flying through some casino 800 miles from your residence.

    There is no ultimate security when it comes to banking apps, especially when you give end-users, and thus end-computers (which can and will be infected/modified/hacked in all ways imaginable or not) access to your application, you can't trust it. The only thing we can try to do is mitigate the risk for the general population, and hope we can filter out the few hacks. If you don't spot it, just pay the bill. The amount of money you lose that way will always be less than trying to fund impossible research that may yield nothing at all.

  7. No single "criminal mind" by davidwr · · Score: 3, Insightful

    Your post displays a lack of understanding of the criminal mind. [snip] The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught.

    There is no single "criminal mind."

    True, many criminals grossly underestimate the chances of getting caught or suffering significant consequences.

    Some, those who who protest against governments in violation of the law or who steal from the rich to give to the poor, do so for a real or imagined higher purpose.

    Others are aware of the consequences but get some benefit out of it, such as the thrill of "getting away with it," the thrill of showing they are, at least this time, more powerful than their victim or society, the thrill or other benefits of a drug high, or simply for financial gain.

    I can give you a USA-based example with misdemeanor speeding tickets: Many people spend their entire adult life speeding 5-10% over the speed limit on the highways even when it is safe to go the speed limit, knowing they will get caught a few times a decade. For them, it's simply a matter of cost-vs-benefit. In some parts of the world or for people with certain political connections, the cost-benefit equation for fraud favors the criminal.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  8. Learn some history by davidwr · · Score: 3, Insightful

    The speed limit was set to 55mph in the mid-70s to conserve oil.

    Even with today's fuel-efficient cars, going 65 saves money over going 85.

    This is for at least two reasons:
    * atmospheric drag
    * engine efficiency

    The former you can't do much about save driving with a tail-wind: You will get more drag at 85 than 65, and more drag at 65 than 45, more at 45 than 25, and more at 25 than at a dead stop.

    The second is determined by the car's engineering. For cars sold in America, most have maximum engine efficiency somewhere in mid-RPM range, corresponding to somewhere in the 50-70mph range in top gear. Any faster than that and you'll lose efficiency.

    As long as people are focused on pollution, don't expect wholesale speed-limit reductions, especially in urban areas.

    Oh, there is also the safety factor: Even on a road designed for 85mph travel, that's with a given level of traffic and with a given driver behavior pattern. If the traffic is lighter and the drivers behave "better" the ideal speed may be higher, if the traffic is heavier or you have someone weaving in and out of traffic, or even adverse weather or night driving, the ideal speed may be lower.

    Speed limits need to be set on a case by case basis for each road segment, taking into account typical actual traffic patterns including typical actual speeds, the accident and near-accident history of the road, pollution levels in the region and downwind, and other factors. The national maximum of 80-ish mph may be too low, but there are very few places near cities where anything higher than even 70mph makes sense.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  9. Re:Thwarted by properly designed online banking by kafka47 · · Score: 4, Insightful

    I work for RSA and you are absolutely correct. Attempting to authenticate twice with the same tokencode will automatically yield a rejection.

    I believe the idea of this "real-time application" is that they see you typing in your passcode and zap that code into the authentication system before you do. The success of this hack is predicated on the notion that they are watching with baited anticipation, ready to spring into action the exact moment you sign into your online bank.

    The chance of this actually occurring is highly remote, to say the least. The technique of racing ahead of a potential 2-factor authentication is compelling in theory, but of little practical use. If they're going to get into your bank, it has nothing to do with "defeating" Securid (or any other one-time display mechanism).

    Suffice to say, this story is bunk.