Schneier on Security
A blog covering security and security technology.
« The Price of Restricting Vulnerability Information |
| Sandia on Terrorism Security »
April 4, 2005
Police Foil Bank Electronic Theft
From the BBC:
Police in London say they have foiled one of the biggest attempted bank thefts in Britain.
The plan was to steal £220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui.
Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems.
Not a lot of detail here, but it seems that the thieves got in using a keyboard recorder. It's the simple attacks that you have to worry about....
Posted on April 4, 2005 at 12:51 PM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
still no multi-factor authentication that most likely could have prevented such keylogging trickery... shucks.
Are there no commercial anti-keylogger products available,within the IT budget constraints of this bank? Or, is it just that their "auditing system" is run by incompetents?
Unless of course, it was logging the admin access to the ACE(SecureID) server. Add your own token, bobs your uncle, or not as the case maybe. :p~
In the case of there being a hardware keylogger it is next to unlikely that there may be a piece of software to detect it. At best a program would measure the voltages at perhaps a time when the keyboard appeared to go offline for a second or so (during the time an attacker inserted an inline keylogger).
There are plenty of software keylogger detectors, but with so much spyware-antispyware trust violations it is questionable as to whom is working for whom.
The best policy is to physically check your keyboard linkage before typing. Wondering why you have have a ps2-ps2 converter? Or does your keyboard look a little bit cleaner than usual?.. these kinds of questions are the ones one should ask during such physical inspection... also hiding a sticky with your password under your keyboard doesn't help much around the time the cleaning crew comes buy and really cleans you out ;)
BTW, It is difficult to defend when:
a. you don't know what you are defending against.
b. your superiors have a deaf ear against anything that requires security.
c. those in charge of security, haven't the slightest clue of what security is.
Sounds like an insider (or two) could well have been involved. Makes technical prevention a bit more difficult if the people doing the illegal transfers are the same ones who are allowed to do other, legal, transfers. If this is the case, it would seem that detective controls, at least, worked. Maybe in this case the glass really is half-full.
I remember an authentication scheme suggested a while back for ATMs where the user is presented with a series of portrates in batches of 9. The position of the photos in the grid of 9 is random and the user must select the correct face from each batch. eg. the faces are family, or movie stars, cartoons, etc, and only the sequence mother, Seinfield, Micky Mouse, mother again, mother yet again looking different, will allow access. The shuffling of the pics prevents the same keys being used twice in a row.
For desktop authentication, how about mouse clicks? Can a mouse logger really know where the pointer is on the screen, and what is under the point at each click?
"For desktop authentication, how about mouse clicks? Can a mouse logger really know where the pointer is on the screen, and what is under the point at each click?"
If one owns the box, they pretty much own it all. Mouse events are not difficult to track since it simply relies on an xy axis. Some of the logging software out there even saves screen shots at a given interval for auditing. You could pretty much replay an entire user's session.
How about using images for authentication?
There is the issue of transition, but I guess it foils such keyboard logging attacks and even dictionary attacks.
The problem with images is that they tend to run afoul of various accessibility requirements, at least in the U.S. (ADA, Sec. 509, etc.)This has been an issue in the use of such images in mail challenge-response systems.
If you own the box, you have mouse clicks, yes, but are you recording them? And are you also recording information about what's being written to the display?
Here's something encouraging: my bank, Shinsei (www.shinseibank.com), requires an account number, card PIN and password for authentication to their on-line banking. They offer the option (in fact, it used to be the only option) of using the "secure input keypad" when entering your PIN. This pops up a new window with buttons from zero to nine that you click with the mouse. Even better, the buttons are placed randomly every time.
I was pretty surprised to see this coming from a bank, though they are well known for having very good IT guys.
TBH Mouse-click software is vulnerable to software attacks (such as "screen capture a square around the mouse pointer each click") but not really hardware ones - It is trivial to turn on "jump to ok button" in the settings of windows, which will randomly relocate the mouse to a different screen area each time a dialog box is presented.
Software is a lesser danger - not only are keyloggers/mouse-snapshotters obvious to anti-spyware packages, but it is more efficient (and easier) to simply modify the software to keep a record of the passphrases used; few if any people check their banking software against a "known good" copy or hashset, and an IE BHO could trivially access online banking information and send it (via http) to a server of the attacker's choice - no matter how clever the interface looks.
One of the more difficult to (aka higher hanging fruit)capture devices have a "protected PIN path". This is where the PIN is typed directly on the same device (multi-factor auth) to login. It completely bypasses the keyboard, so any keyboard sniffing will be futile when it comes to capturing the PIN.
"Auditing system run by incompetents" is not approximately equal to "those in charge of security haven't the slightest clue what security is" ???
""Auditing system run by incompetents" is not approximately equal to "those in charge of security haven't the slightest clue what security is" ???"
One difference is that those in charge of security that are beyond clueless may never get to the auditing part until it is too late.
Keyboard logging can be largerly defeateed my making users enter critical data using an onscreen keyboard in which the keys are randomized. Recording key and mouse actions will not tell you which letters were selected if each letter has a radnom position onscreen.
- The Precision Blogger
It's important that the 'onscreen keyboard' is coded with security in mind. Obviously it somewhat defeats the object if the onscreen keyboard returns the letter 'pressed' by simply generating a keyboard interrupt, which is what the keyloggers look for anyway...
Um, actually, it was the simplicity of the exploit that led to the arrest. The criminals performed typical "seed money" transfers, which set off alarms and led police to also capture various accomplices in other countries. Had they used a more sophisticated attack method....
Ha ha ha, oh, dear and what about that guy with access to the CCTV camera!?, but pointless then or the CRT scanner. Come on! read up on security!...
are mouse click recorded by the keylogger?
do you have a reseller in UAE?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.