Full Disclosure mailing list archives
RE: Most common keystroke loggers?
From: "Michael L. Benjamin" <mike.benjamin () clarinet com au>
Date: Fri, 2 Dec 2005 17:21:17 +0800
Although not particularly secure, this is an interesting method I saw in use recently. First you enter your account number, then... Say your PIN is 0467 they present the screen to the user like this (as an image): +---+---+---+---+---+---+---+---+---+---+ | 0 | 1 | 2 | 3 | 4 | 6 | 6 | 7 | 8 | 9 | +---------------------------------------+ | H | A | S | B | E | J | O | W | V | X | +---+---+---+---+---+---+---+---+---+---+ In the password field you enter the corresponding letter to your PIN. Obviously the corresponding letters are generated prior to the web page being served, and the server-side is aware of the equivalent value. So in this case your PIN transposes to "H E O W", you type that in. The server checks this, and transposes it back to your pin of "0 4 6 7" and verifies the user. Now, a keylogger is going to capture "H E O W". Without any additional smarts and knowing what appeared on the screen during the session, the keylogger is useless for determining the PIN. This will stop any non-targetted keyloggers. It's possible a hacker could write a specific keylogger to grab the image from the page and work out what the numbers/alphas are, but it becomes a more involved process and is specific to the website it is targetted at. Overall an improvement on most sites. M. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Shannon Johnston Sent: Friday, December 02, 2005 01:25 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Most common keystroke loggers? Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. Thanks, Shannon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- re: Most common keystroke loggers?, (continued)
- re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- Re: Most common keystroke loggers? Michael Holstein (Dec 02)
- Re: Most common keystroke loggers? ascii (Dec 02)
- Re: Most common keystroke loggers? Rodrigo Barbosa (Dec 02)
- Re: Most common keystroke loggers? Blue Boar (Dec 02)
- Re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- Re: Most common keystroke loggers? Blue Boar (Dec 02)
- Re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
- Re: Most common keystroke loggers? gboyce (Dec 02)
- Re: Most common keystroke loggers? Nick FitzGerald (Dec 02)
- RE: Most common keystroke loggers? Lyal Collins (Dec 08)