Quote:
|
Originally Posted by Nimetic
And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there.
|
Though you're correct in the existence of keyloggers,
Necrosis, I assumed, was talking about using your own laptop in a WiFi hotspot facility. Stil a camera would accomplish the same.
Keyloggers are a security risk everywhere (and probably a common thing after a hacker has had access to your system). Keyloggers record all keystrokes, and with a little guesswork you can easily derive usernames and passwords from them.
However, a keylogger would not do anybody any good with my online banking service. I have to enter a one-time key sequence to gain access. That sequence cannot be re-used. (this is for reading my account status). For modifying my accounts (payments, banktransfers, and such) I need to use a physical 'calculator' to calculate an answer to the key sequence the bank gives me.
This solves several things:
- the system is based on the very secure
something you know and something you posess system. The 'calculator' needs your bank card for it's calculations and won't work without a PIN. (hence you
know the PIN number, and you
posess your bankcard.) This defeats reading over shoulders or stealing your bankcard, a thief needs to do both.
(The 'calculator' itself is universal for all accounts. So stealing the PIN and bankcard is enough to "own" the account.)
- Proxy based (fishing) attack. Since the patching of a few browsers, fishing attacks are more difficult. The bank actually warns me to look at the browser address bar to verify that I'm actually communicating with the bank.
- Reading my log-in sequence will only allow an attacker to view my account status. (note: this would actually help me, as he/she can confim I don't have any money
)
- There is a single attack vector that would work**. But it requires a huge amount of preparation, access to the network and physical or hacked access to the PC to make work. And even then, I've noticed that the bank is not easily fooled.
Trust me, the banks are very security minded (sometimes freakishly so), and, at least around here, will not implement a banking system prone to easy attacks. The thing is, banks rely on one thing: public trust. If public trust diminishes the entire banking system is at risk. Security issues are therefore dealt with swiftly.
Cheers!
** I haven't tried or researched into this attack vector. It might very well not be possible. But since the system has been put in place a couple of years ago, its been on my mind that it probably is possible, but very difficult to pull off, only work on 1 PC at a time, and will not fool a vigilant user.