This post by Brian Krebs at The Washington Post says that two companies -- Trusteer and ING -- claim to have come up with a way to ensure the security of mobile banking even if the customer's machine itself is compromised. The reasonable first reaction to that claim is that the companies involved should take a lower profile.
The technology may or may not work as advertised. The point is that the attitude taken by the companies, at least in the way in which it is presented by Krebs, seems to be throwing out the type of challenge that crackers and malware distributors love.
The technology is said to encapsulate data within devices by controlling and securing the application programming interfaces (APIs). Trusteer, an Israeli company, has a good pedigree: The main investor is a co-founder of Check Point Software and now CEO of Imperva. The CEO is Imperva's other co-founder.
Hopefully, the boastful positioning is justified. This week, according to Network World, Symantec said that Adobe's Flash player was under attack and that "tens of thousands" of Web pages could be conduits for password-logging and botnet programs. The piece says Symantec now believes the flaw is close to one that already has been patched, but that the Linux version of Flash Player 9.0.124 is vulnerable. The company's researchers will no doubt get to the bottom of the flaw. The bottom line is, however, that this is yet another example of how motivated criminals are to install keystroke loggers and similar software.
As we discussed earlier this week, the security of bank and financial institution transactions is problematic. Of course, this is a huge target for hackers and crackers and, just as naturally, folks who use computing devices to do their business aren't as careful as they should be.
Keystroke loggers or keyloggers are one of the main avenues by which the bad folks rip off financial institutions and create other mayhem. As this Billso post points out, it is simple for a keylogger, once installed, to collect passwords and other salient information.
The writer offers two innovations that potentially meet the challenge. One approach is virtual keyboards, which use the mouse to choose the desired character. The piece provides a link to free virtual keyboard software from Neo. The other approach is an application that deduces the rhythm of a legitimate user's typing to determine if somebody trying to get into the system really is that individual. The story, which points to a system from BioPassword, positions this most naturally as part of a multifactor authentication approach.
This piece goes into far greater depth about keystroke loggers. The writer says that there are three types of keystroke loggers. Hardware keystroke loggers actually are installed between the keyboard and the PC. Another type monitors an API called SetWindowsHookExe and reports the identities of pressed keys. And kernel/driver keystroke loggers reside in the kernel and accept data directly from the keyboard. The first suggestion on how to combat these malevolent efforts is to bypass Internet Explorer.
This blog entry describes keystroke loggers and says that fighting them starts with good antivirus, anti-spyware and firewalls. The most valuable -- and fun -- part of the post is a recipe for safely using passwords. In notepad, the user should type random letters "like a chimpanzee on crack" for about two minutes. Once the chaos ends, drag characters forming the password to the beginning or end of the mass of characters. Whenever the password is needed, open the file and click on this saved version.
Hopefully, ING and Trusteer have solved all keylogging problems. Until that's proven to be true, however, the best idea is to use common sense -- and hope that the two companies keep a bit quieter.