Sophos Cloud Optix
Here’s an interesting piece of work being done by boffins at the Japan Science and Technology Agency (JST).
Many of us are aware of the problem of spyware, designed to snoop upon our computers, and steal files and data.
One common weapon in spyware’s arsenal is the ability to seize passwords by intercepting keypresses (known as keylogging) as users log into their email or access their online bank accounts.
Some banks have, of course, responded to this by producing virtual keyboards on their login pages which don’t require you to type a password – but instead choose the correct sequence of letters and numbers with your mouse instead.
Of course – as is seemingly always the way with the cybercrime arms race – motivated malware writers responded to this defence, and developed more sophisticated spyware which took screenshots or even a mini-movie in order to grab passwords.
And that’s what the Japanese researchers hope to have defeated with their new system. By having multiple cursors randomly moving across the screen, they hope it might make it nearly impossible for passwords to be captured by screen-capturing spyware or shoulder surfers.
It’s certainly a fun video, and might make things tricky for a password thief looking over your shoulder – but would it really defeat cybercriminals?
If the Japanese system was widely adopted, is it not possible that – just as malware authors evolved their attacks to steal screenshots rather than just grab keypresses – malware would be developed which would interrogate the computer and ask for the co-ordinates of the mouse cursor?
A screenshot could then be taken with the real cursor’s location highlighted in red.
I hate to be a wet blanket, but I’m not convinced this fun research spells the end to password stealing.
What do you think of this research? Do you think it would be a good think if online banks and others adopted it? Or is it just a bit of fun? Leave a comment with your thoughts below.
We use this system in our Virtual Keyboard for years 🙂
The present legal consequences for identity theft are not a deterrent. The solution would be for them to be executed for their crimes. People have had their lives wrecked and the criminal must be made to pay the price. If the price that they have to pay is high enough, then maybe they will think before they steal.
Great idea! But first you need to catch the criminal. We don't seem to be much good at that!
<SARCASM>
Yes, because the death penalty has been so successful in stopping people from committing murder, hasn't it?
</SARCASM>
"<SARCASM>
Yes, because the death penalty has been so successful in stopping people from committing murder, hasn't it?
</SARCASM> "
I think I see your "error", Richard. You're approaching this rationally.
You're right, of course. But you will never convince the overwhelming majority of your fellow humanoids. The problem is that there is an almost universal belief in the myth that punishment actually provides an effective deterrent. That belief is so deeply entrenched as to effectively constitute a religion. You cannot shake it with rational arguments.
The threat of punishment DOES provide a deterrent, but only among those who are already disinclined to commit crimes in the first place. It does nothing to deter sociopaths…who, by definition, are the very people who commit crimes.
That looks too distracting to me.
I don’t think the idea is that the randomly-moving cursors appear *all* the time – I imagine it’s meant to be just when you’re using a virtual keyboard. 🙂
So, it will be too distracting when using the virtual keyboard, then…. 🙂
I could tell which was the "real" cursor. It was fairly simple to follow its movements.
But only if you are matching his peripheral mouse movement with the virtual mouse movements. Otherwise it is nearly impossible.
How much online banking crime is conducted by shoulder surfers? (Hint: it's called "online
banking crime" for a reason 🙂
So that leaves malware.
And…since the real mouse position and the real click locations must be reported to the banking app at some point, the malware can acquire it, too.
Sure, it might take a while before the crooks figure out the additional code needed to do so. So it will probably leave the crooks in a hopeless situation for…oh, days, probably. Perhaps even a whole week…
Exactly!
How is this going to help against Zeus/SpyEye?
Spend as much time as you like putting hurdles in front of the user to *Authenticate*. The malware will just wait until you’ve completed that step, and use your authenticated session.
We need to move beyond *Authentication* and look at *Authorisation*. Did you really ask for that action? Are you authorised to perform that action? Is it an unusual action or set of actions?
What annoys me is that ALL Malware ALREADY intercepts mouse presses.
To counter that, they developed the "random tile set". Which then caused malware writers to either use memory sniffing to find the "tile set" or make occasional "screenshots".
As you said, it’s a cybercrime arms race. The virtual keyboards introduced by the banks several years ago lasted few days until the advantage fell back to the hackers. Let’s see how long this one will last, should it be at all mass-introduced to the market. I like the idea, it is fun, but it will do nothing to the systemic weaknesses of the network.
how about multiple keyboards?i know it sounds simple, but simple works in my books
This would work against the low end key logger taking screen shots. I question how good it would do against a video where you could easily slow it down and follow the pointer you want.
It also does nothing really against shoulder surfer. If I can see your hand on the mouse then following the cursor is really simple. After all, the cursor is following the same movements as the mouse. Watching someones hand is just as good as watching the screen.
I think this approach would be very effective at preventing someone from stealing your password by looking over your shoulder, but would not be effective against spyware, for the reasons stated in the article.
Fantastic timing – just as everyone's switching to touch-screen tablets.
Actually, touch screen can do quite a good job of foiling screen-shot recorders, as there's not any necessity to provide visual feedback of which virtual key is under my podgy digit.
Perhaps Microsoft (and the producers of competing operating systems) can put hooking touch screen messages under privilege control, raising the bar a little further. I don't think there's much need for a non-active application (/window without the input focus) to know what the user's doing with his/her fingers 😉
Complete waste of time! If the machine has been compromised, no amount of UI tweaks will make it more difficult for an attacker to capture credentials.
Whoever has developed this has a fundamental misunderstanding of how banking malware works today — it is just as easy to capture the actual password being sent from the browser to the bank server, or query the mouse driver to determine relative movements related to clicks.
We are seeing banking malware running requests through SSL/TLS stipping proxies, or MiTM browsers TLS sessions with banks. This is UI fluff.
Its this kind of ‘security theater’ that makes our lives more difficult without actually adding any appreciable security to an applciation. Back to the drawing board im afraid!