How to avoid key-loggers when authenticating access
Asked Answered
C

8

7

As per the title really, just what can be done to defeat key/keystroke logging when authenticating access?

I have just posted a related question (how-to-store-and-verify-digits-chosen-at-random-from-a-pin-password) asking for advice for choosing random digits from a PIN/password. What other reasonably unobtrusive methods might there be?

Any and all solutions appreciated.

Camala answered 2/8, 2010 at 14:42 Comment(3)
Are you sure keyloggers are your main concern? And if so, how come? It sounds like a dated attack vector IMHO.Contumelious
@Contumelious - Keyloggers are "dated" now? I've already had to throw away my cigarette-lighter microfilm camera and my rotory-telephone handset bugs. I guess I better head back to HQ for some new tech!Cecilia
Dated? you guys ought to checkout the sales of keyloggers on ebay... And they are still the easiest, cheapest way of intercepting all the authentication/security/encryption/hashing available. If you guys are thinking they are old-hat, then I would think again. Even biometrics are sniffable.Camala
M
6

A hardware-based keylogger will not be fooled by any solution that requires the use of a keyboard. So, to bypass those you will need to have input through the mouse only. But software-based keyloggers can be stopped by adding a keyboard hook in your own code which captures the keys and which does not call the next hook procedure in the hook list. But keyboard hooks tend to trigger antivirus software if used incorrectly and will cause bugs if you use them in any dynamic library with the wrong parameter.
And basically, a keylogger will use a keyhook to capture keystrokes. By adding your own keyhook on top of the malware keyhook, you'll disable the keylogger.
However, there are keyloggers that hide deeper in the kernel so you'd soon end up with a keylogger that will bypass your security again.

Don't focus too much on the danger of keyloggers, though. It's just one of the many methods that hackers use to get all kinds of account information. Worse, there's no way that you can protect your users from social engineering tricks. Basically, the easiest way for hackers to get account information is by just asking their victims for this information. Through fake sites, false applications and all kinds of other tricks they could just collect any information that you're trying to protect by blocking keyloggers. But keyloggers just aren't the biggest dangers.


One suggestion was to use pictures of cute kittens (or puppies) for the user to click on. What you could do is use a set of 10 pictures and let the user pick four of them as their "pincode". Then, whenever the user needs to enter their code, display the pictures in any random order so hackers have no use for it's location. If it's a web application, also give the pictures a random name, and just let the server know which is which. To make it even more complex, you could create 10 sets of 10 pictures, where every picture displays a single object but from a slightly different perspective, different angle or in a different color. Set 1 would be a chair, set 2 a table, set 3 a kitten, set four a puppy, etc. The user then just needs to remember: Table, kitten, chair, puppy. (Or puppy, chair, chair, table. Or kitten, puppy, puppy, puppy...)

Maclaine answered 2/8, 2010 at 15:3 Comment(1)
Accepted as the most comprehensive answer, with a hat-tip to Pavel for the flash suggestion.Camala
E
6

One solution to defeat keyloggers is to not care if they capture what you type.

One time passwords (search: "OTP") are one solution. Smartcard authentication is another.

Earle answered 2/8, 2010 at 15:7 Comment(0)
I
5

You could have a clickable image with the letters on it. Your users will be pretty mad though...

Ideation answered 2/8, 2010 at 14:43 Comment(6)
Use pictures of cute kittens instead of letters. Everyone loves cute kittens. Nobody will be mad! :)Contumelious
And if you are super paranoid randomly shuffle the letters/digits/kittens each time when you display them (to make users even more mad) :)Embosom
Unfortunately the 'key'-loggers then just record the area around the pointer on every click, so they know which actual letter/digit/kitten to click on, regardless of where it is on the screen.Autobiographical
@bzlm, I don't like kittens. I'm a dog-lover. :-) But pictures of cute puppies would make me happy so users should have to have an option to choose between puppies or kittens. ;-)Maclaine
I too am sick of "cute" kittens! They might have been cute once long time ago, but now Internet is full of "cute" kitten pictures! There ought to be a tax for each "cute" kitten picture uploaded! Anyway I think that cute little octopi are much better.Mythologize
I know at least one bank website that does this. They have a virtual keyboard on which you can "type" in your password.Pasteurize
A
2

You can allow to use only on-screen keyboard to enter password.

Or you can write module (on flash for example) for handwriting (via mouse or stillus) passwords recognition.

Amyl answered 2/8, 2010 at 14:44 Comment(0)
A
1

The only real way is a proper second factor authentication: Either something the person is: fingerprint, iris scan. Or something they have: one-time password list/generator; crypto-generator.

Autobiographical answered 2/8, 2010 at 15:6 Comment(0)
O
1

Assuming that only keyboard, and not mouse input is captured, you could type the password out of order moving the cursor with the mouse.

I really like the one time approach better, though.

Oisin answered 2/8, 2010 at 15:18 Comment(0)
M
1

How about a variation of standard password. For example you could have a list of words and have program leave out random letters from each word. In addition to that it would leave out one word from the list which user would have to remember and type it out.
If the words form a sentence, it would be easier or users to remember it but on the other hand creation of the sentence would be more difficult because you'd need to use words which can't be guessed from sentence's context.
Another variation of this could be to have program at random ask user to replace all letters i with 1 or a with 4 or to place say letter R after every third letter A or something similar.

Basically have a password which would be modified at random and have it instructions displayed to user how to modify the password.

Now that I think of it, I'm not sure how unobtrusive my ideas are...

Mythologize answered 2/8, 2010 at 15:36 Comment(0)
N
1

The online banking portal of my bank has a nice way that I find very unobtrusive. When creating the account, you define a 6 digit PIN (additional to a normal password). After entering your password, you're asked for 2 digits of the 6 digit PIN at 2 random positions. For example, if your PIN is 654321, it'll ask your for digits 2 and 5 and you'll click on 5 and 2 (it has a numpad with digits to click on). Even if you'd enter the digits with your keyboard, it would still be kind of safe because the attacker won't know which digits you've been asked for (unless he captures the screen as well, maybe using tempest).

So, short answer: Ask only for some parts of the password/PIN, in random order. Having the user use the mouse increases security.

One more idea: If you have a PIN (numerical password), ask the user for modifications of certain digits, e.g. "2nd digit plus 3, 4th digit minus 1".

Nolte answered 2/8, 2010 at 15:47 Comment(4)
I just noticed that you had the same idea in your other question. Sorry for not reading.Nolte
It only asks for two digits? That means a hacker has a 1 in 100 chance of guessing right! That's a chance to make it worthwhile to attempt hacking such accounts! I would at least demand a four-digit input. Still, there's the additional password that they need to guess first.Maclaine
Or, to make it simple: always keep track of the number of combinations that someone has to guess by just using "brute force". Passwords can be guessed by using dictionary attacks and usernames are also often easy to come up with. And although there's a small chance that your account gets hacked, many banks can have millions of accounts. With that many accounts, hackers do have a very small chance to guess things right. (Especially if account names are just email adresses.)Maclaine
Well, I consider it pretty safe anyways. You need to know the password before you can try to brute force the random PIN digits. The password is forced to be pretty safed by the system (8+ letters, must contain digits and mixed-case letters), and both, password and PIN digit prompts are limited to 3 attempts. Finally, even if you get into the account, all you can do is check the balances. For every money moving operation, creating scheduled jobs, changing account information etc, you need a random TAN (one of 200 6-digit numbers on a sheet you get via snail mail when creating an account).Nolte

© 2022 - 2024 — McMap. All rights reserved.