Transec, a Secure Authentication Tag Library

Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

Then, the terrorists have already won...

[BadAnalogyGuy]

Seriously now. Are we going to inconvenience ourselves just because a few programs out there do Bad Things?

The solution isn't to work around the baddies but to eliminate them altogether.

Re:

[ultranova]

Seriously now. Are we going to inconvenience ourselves just because a few programs out there do Bad Things?

I'd imagine this would be most useful to run in my home server, so I could contact it from anywhere without having to trust the computer I'm using. And yeah, I'd rather inconvenience myself with this password entry method than with cleaning up the mess when someone hijacks the server.

The solution isn't to work around the baddies but to eliminate them altogether.

Funny you should mention "terro

Good luck. No chance in hell.

[Opportunist]

You're dealing with people who register a domain in Uzbekistan, run the server in the Ukraine and sit in Moldavia. With these three countries being placeholders for pretty much every country from the former East Block east of Poland. Now try to get ANY kind of help from law enforcement there concerning computer crimes.

Those law enforcement organisations there have real problems to deal with, they have no spare manpower for petty things like computer crimes. I say that so I don't say they don't want to stand up against organized crime 'cause they have families.

Re:

[Pollardito]

i'm sure there are plenty of law enforcement organizations in the US that would also tell you that they "have no spare manpower for petty things like computer crimes", it's not purely an Eastern Bloc problem

Re:

[TCM]

The solution isn't to work around the baddies but to eliminate them altogether.

A system doesn't get secure by removing the threat but by making the system secure.

You know why allergies exist? Among other things, because parents try to keep their children as far away from bacteria and dirt as possible.

The strongest system is the one continuously exposed to threats and adapting to them.

Re:

[aled]

You know why allergies exist? Among other things, because parents try to keep their children as far away from bacteria and dirt as possible.

The strongest system is the one continuously exposed to threats and adapting to them.

Yeah, you may need to kill some children in the process but the survivors will surely be the strongest, like the Spartans:

Sparta was, above all, a military state, and emphasis on military fitness began virtually at birth. Shortly after birth, the mother of the child bathed it in wine

Re:

[PrescriptionWarning]

I detect sarcasm, or perhaps a Bushism

Re:

[kalirion]

Seriously, the obvious and convenient solution are secure keyboards and mice that encrypt the input signals before they even get to the computer!

Lots o mouse clicks

[null etc.]

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

If so, the malware must go after specific types of clicks - for example, maybe it looks at the URL and form action to determine whether it's worth capturing the images. Otherwise, a typical day of perusing Digg articles could result in megabytes upon megabytes of captured images. And unlike text data, image data is hard to sieve for gold.

Re:

[Opportunist]

Current malware is already able to discriminate between "interesting" and "non interesting" sites. Even keyloggers only steal from pages that interest them. It is (not would be) the same for screenshot taking malware.

Re:

[cheater512]

Well if the system uses one form of images (like the demo) then its actually really simple to target and the screenlogger would even be able to perform basic OCR on it.

Heh...

[Anonymous Coward]

"I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?"

Well, it does now.

Re:

[Lev_Arris]

So basically, we should eliminate the mouse clicks altogether. People who know dontclick.it [dontclick.it] know what I mean: You could just 'touch' the numbers with the mouse cursor for them to register. That way, the screen logger would have to record an entire video to get the password.

Of course, implementing such a thing without Flash and the likes will be a little more tricky.

I'm skeptic

[cucucu]

This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.

This "new" product does not work around the principle that software cannot secure a computer for which you adversary has physical access.

Re:

[nospam007]

>This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.
--
To do what? It's a onetime 'password' it's useless to store no matter where.

Re:

[idlake]

To do what? It's a onetime 'password' it's useless to store no matter where.

It's not a one-time password. If it were a one-time password, they wouldn't need to keep it secret.

Re:

[Flibz]

They would if they wanted to stop somebody else from using it first...

Re:

[Greyfox]

I imagine the threat from that could be reduced by having the user select a sequence of images that could comprise his "password" and then presenting a random subset of those images for him to select each time. You could also intersperse a one time image that you could instruct the user to select each time it occurs, then use that as one of the number of random choices of which image is the correct one for a few days. If the user uses the same compromised machine for several days in a row his password might

Screen Capture

[DieNadel]

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

I've heard about it many times as well and even seen a proof-of-concept.

Anyway, it could easily be implemented, and that's the point. I think a good solution would be Deja Vu [zdnet.com] or something similar, with lots of information (tens of known pictures), so that you need to grab lots of screenshots before actually having a chance.

But even in Deja Vu, you'r

Re:Screen Capture

[ultranova]

Why can't we have a TCB that is really Trusted? A secure operating system is all that takes to divert these attacks (granted it's easier said than done).

How do you know the operating system in a particular machine is actually the Trusted version, and not a hacked version that's masquerading as the trusted one ?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ultranova]

How do you know the machine your typing on isnt replaced with one thats built for harvesting your passwords ?

It sits in my home, guarded by locks and dogs.

Re:

[DieNadel]

Perhaps you should read what [bldrdoc.gov] a [cam.ac.uk] TCB [everything2.com] is [answers.com].

In the TCB concept, all security mechanisms (including hardware) should be trusted and easily auditable. TCB != Trusted OS AND != TC [wikipedia.org].

Re:

[ultranova]

In the TCB concept, all security mechanisms (including hardware) should be trusted and easily auditable. TCB != Trusted OS AND != TC.

Very nice. So tell me: how do I know that a box I'm using in some net cafe to connect to Sensitive Server is, in fact, a computer that fulfills these requirements and not one that just claims it does ? Remember in your answer that as a human being I'm incapable of calculating public-key cryptography in my head, and I'm not carrying any extra hardware (because if that is al

Re:

[DieNadel]

Let me try to explain this again: TCB != TC. It has nothing to do with DRM (altough DRM has some to do with TCB, but this is one-way).

My point was that security is lacking, and that our operating systems today have no way of being completely secured. It was something like "Why, Oh, Why can't we have security?".

I know you're trying to be extremist when you mention a computer in a net cafe, but to be clear, nothing is aimed at securing a computer in a net cafe. Not the TCB, not the mechanism proposed in the a

Re:

[ultranova]

I know you're trying to be extremist when you mention a computer in a net cafe, but to be clear, nothing is aimed at securing a computer in a net cafe. Not the TCB, not the mechanism proposed in the article.

The summary says that this is meant to keep the password from being spied by the machine I use to connect to the server. However, I trust my home machine - which I manage - more than any remote server which I don't manage. And a work computer is likely going to be managed by the same person who manag

Re:

[DieNadel]

The summary says that this is meant to keep the password from being spied by the machine I use to connect to the server.

Right, to protect your password from being captured by a keylogger.

However, I trust my home machine - which I manage - more than any remote server which I don't manage.

OK, but the article is aimed at your machine. If your machine is already safe anyway, you could simply type your password. I think we both agree on this (this was what I said on my first post).

So, I just don't see this havin

Re:

[ultranova]

I think we both agree that this tech is close to useless, and that our argument was because you were relating TCB with TC or DRM (and they are not but far related). If that's not the case, please let me know.

The argument, as far as I can tell, is because I thought this technology as something you'd use to access a Web mail or something with a public (library, net cafe, etc) computer. Obviously, in such a situation, you'd have no way of knowing if the computer actually implements any security technology.

Re:

[Hel Toupee]

Virtualization may help with this, at least on the client side. I've considered using VMware and an OS-on-CD (Knoppix or whatever, as long as you know it's got no bad stuff on it) to conduct sensitive transactions from my otherwise-susceptible Windows machines. I would think it very useful if someone could come up with a browser and email app that runs on a minimal OS in a virtual machine that's hardened against spy/mal-ware interaction from the host system. This is the effect I have sort-of generated, a

Re:

[maxwell demon]

Of course if such a solution became widespread enough, malware would probably commonly attack the integrity of VMware itself, in order to infect the host OS. Also note that whatever program can modify the CD image can also modify the checksum.

Re:

[Jerf]

Why can't we have a TCB that is really Trusted?

Two reasons. First is the technical difficulty; until we finally have an OS that isn't based on C or C++ it's going to be problematic, and we really need to leave those apps behind (or in the hands of experts) too. Of course writing apps in buffer-safe languages isn't a total answer (still leaves all the escaping bugs behind, which accounts for things like SQL injection and XSS); it is a necessary condition, not a sufficient one.

"Trusting" buggy software, for p

I don't get it.

[XorNand]

Here's their demo app [micromata.de].

I don't understand why this has made it's way onto Slashdot? It's an image map. With a PIN pad. Besides the fact it looks like a solution looking for a problem, I don't see the innovation. This could very easily be replicated in praticially any web scripting language of your choice.

Re:I don't get it.

[mrjb]

This could very easily be replicated in praticially any web scripting language of your choice.
Exactly. It doesn't require any client-side processing. That's the beauty of it. This means you can TURN OFF javascript and it will still work.

As for the innovation- it allows a user to enter their pin while reducing the chance that it's snooped by malware, which is a Good Thing. It also makes it a lot harder for said malware to replicate the response compared to keyboard entry- because in addition to protecting your code, it also acts as a (primitive) captcha, making reasonably sure that whoever is entering the code is human.

Re:

[XorNand]

Right, but what's with all the hype about Java and the GPL? Server-size image maps don't need Javascript to work. Unless I'm totally missing something here (which is possible) I could cook together a PHP class that does this exact same thing in less than an hour.

Re:

[AutopsyReport]

But you haven't done that, whiz kid. Nobody cares that you can do this in a hour, because so can everyone else that knows PHP. The point is that nobody else has done it before, and this is a new security technique. Who are you trying to impress by telling Slashdot that you could copy someone else's idea in less than an hour?

Re:

[CAlworth1]

It doesn't really matter how long a new idea can be reproduced in to tell how good an idea.

Intelligence is when you look at another idea and think, "Hmm, I could have done that."

Genius is when you think, "Wow, I never would have thought of that."

Re:

[ZerothAngel]

Not sure if you've noticed, but I think most of the server-side work is due to the fact that the keypad images aren't static - they're randomly generated. If you go through the demo you'll see that there's an option (and I assume it's also available programmatically) to randomize at the start of a session or after each "keypress."

Doesn't ING direct already do something like this?

[antifoidulus]

When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

Right, they do that already

[ewn]

They also don't ask you to enter the whole PIN, but only a few randomly selected digits ("Please enter the 3rd and 5th digit of your PIN"), so an attacker who grabs the screen only once still doesn't have enough information. I think that's pretty smart.

Re:

[Opportunist]

Something like that delays the attack until the attacker knows enough numbers to make a qualified guess (attempt it and hope that one of the 3 attempts he has is for numbers he already logged). I wouldn't read too much into that kind of security.

Re:

[antifoidulus]

You are taking a very binary view of security(either it is secure or it is not). According to that view than anything that anyone could concievably access isn't secure because a determined enough attacker can potentially get access to it. It's like saying "I could put a lock on my front door, but a master locksmith could open it in seconds, therefore it is useless to put a lock on my door" While that may be true, the number of master locksmiths who want to get in and want to take my stuff is very, very s

Re:

[Opportunist]

The difference between real and virtual burglary is that the virtual trespasser is everywhere at the same time. One master locksmith with malicious intent can only pose a threat to a very limited amount of targets, those that are in his vicinity. With the internet, every computer is in your vicinity. And since the attack is automated, he doesn't have the time problem either. He can actually attack everywhere at the same time.

So yes, the amount of people able to do this (and willing to go criminal) isn't tha

Re:

[EvilIdler]

It works if you have a little gadget that generates you a new PIN every time,
like we do over here. But then getting random digits instead of the whole
PIN makes no difference :)

Re:

[Opportunist]

Even then, all he'd have to do is intercept the pin and not forward it to the server, then use it himself.

As soon as the attacker has control over your machine, you have lost. No matter what kind of security is enabled on the other end. The big problem banks don't want to see is that they want to create some way of trusting an untrustworthy machine. And that does simply not work.

At the consumer's end is a machine that is not under the control of the bank. They can not verify if the data sent is genuinely fr

One time pads. The only solution.

[plierhead]

When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

The trouble is, anyone who owns your PC and has installed a keylogger can just as easily spy on your display and see what you are clicking.

Sometimes I would swear my brain explodes at our slowness to learn.

The only true solution is one time pads. They are unhackable, and only a minor inconvenience.

I would give blood to be able to use a one time pad for my online banking. The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset. Some marketing guru should wake up to the possibilities of the one time pad - potentially the greatest chick puller since the circular waterbed - and get us the hell out of this horrendous hacky world.

Re:

[antifoidulus]

Um, if the attacker has complete access to your screen(and takes enough screenshots to monitor every mouse click, a hell of a lot of bandwidth I might add) then what is to prevent him from looking at your one time pad? I know one time pads are "algorithmically secure" but they are only as secure as your pad. If they control your computer, it wouldn't be all that hard to look at your pad. How big is your pad? If it starts to repeat then it is no longer secure. Are you asking the bank to store a huge pad

Re:

[plierhead]

You, my friend, are overly rooted in the electronic world. A reading of ancient cryptographic techniques would be useful.

You do not "install" a one time pad on your computer. You keep it in your pocket.

The classic implementation of a one time pad really is a pad - a pad of sheets of paper. You use one, you throw it away. Concerned about surveillance cameras? A blank sheet between every page obscures the next key. It may also be an electronic device that gives you the keys. But it is NOT your computer.

Re:

[antifoidulus]

First, I know what one time pads are, and I have read a lot of material on old cryptography techniques, but you still missed the very point! Supposed you have a one time pad and an attacker manages to get a keylogger onto your computer(this is the situation we are talking about, ING Direct is an online bank end of story, if you didn't know that then you really should not have hit the reply button because it's offtopic). So you carefully type in your one time pad into the computer. Guess what, since the a

Re:

[jargon82]

How does that work? The attacker would have to IMMEDIATELY capture your pad and prevent the login you were attempting. once you login, that pad is worthless to them. That seems to be a recipe for suspicion if you ask me.
More to the point, the attacker would have to know right away you had tried a login and login themselves at that point in time, before you figured out something was wrong and called the bank.
One time pads cannot be reused. once a login happens, it's dead. Certainly less trivial than anyth

Re:

[AxelBoldt]

You log in with your one-time password, you get a message from the bank "Sorry, our database is currently down, please try again later." This message was of course constructed by the keylogger that's running on your computer. The keylogger has already logged into your bank account with the password it just captured and is now busy moving your money to Russia. True, the keylogger needs a bit of knowledge about your bank's site, but it isn't that complicated really.

Re:

[spellraiser]

So you carefully type in your one time pad into the computer. Guess what, since the attacker has all your keystrokes, he can easily put himself in the middle and take the pad you so careflly entered and give them to the bank himself and boom, he has access with minimal effort.

This won't work if you enter only small bits of the pad at a time ... one bit for each login.

Re:

[enbody]

Where are my mod points when I need them -- ran out last night! Please someone mod this person's thread up -- he actually knows what's going on. Man-in-the-middle can defeat the perfection of a one-time pad. The missing element is the ability of the user to know (REALLY know) that he or she is talking to the bank.

Re:

[maxume]

One time pads are still susceptible to man in the middle and DOS-like attacks. I can either use my phishing site as a proxy for the bank site and try to log on to your account as you enter the information on my site, or I can entice you to give me your keys and use them up, or just get the bank out of sync with you, etc. Smart tokens help with the DOS, but they are still vulnerable to man in the middle attacks.

Re:

[rkmspence]

I would give blood to be able to use a one time pad for my online banking.

This is precisely how most online banking works here in Germany. When my TAN list (one-time pad) is finished the bank sends me a new set in the post. There is a time-limit as well: if the list isn't used in a while they send you new ones anyway (and the old ones are invalidated.)

Moreover, the system is really easy to use, nicely designed and quick.

One-time-pads, not a solution.

[Kadin2048]

One-time-pads are not a panacea either.

Let's assume you had a booklet of codes, a true OTP, that you used to log in to your bank. For each login you'd tear off the top sheet and use the next code.

That would still be susceptible to phishing. I could set up a site purporting to be your bank, and convince you to log into it. In doing so, you'd give me your next OTP code, which I could then use to log into your account and steal your money.

It would be a step up over conventional passwords, granted, but I'm not

Re:

[cockroach2]

The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset.

Well, I received a nice little SecurID [wikipedia.org] card from my bank, so that really depends on the country and/or bank.

Re:

[a.d.trick]

They are unhackable

Um, no? They would make it slightly harder, but not unhackable. Anyone who has sufficient access to your computer to install a keylogger could install software to monitor mouse clicks and get a copy of the image or image map. In fact if I knew what I was working with, I could probably write a JavaScript script to do it in a couple minutes, and then pug it into IE with activeX, Firefox as an addon (there's even more descrete ways to do this, but I'm not that familier with it), or Opera as

Java GPL Domino game ?

[Anonymous Coward]

With Java implementations being now under GPLv2 (and could go to v3 when ready), are we about to see some domino effect ?

Let's "GPL the world" !

Not sure MS will like this game .... maybe they should bring a new TLD : .bin :P

Randomly rotated?

[leehwtsohg]

Probably a mistake in the article... but if they just randomly rotate the keypad, then
take (mouse x-min(mouse x))/key size, and you get 10 possible pins. Try 10, and you are done.

If they randomly permute, then things would be a bit harder. If they randomly permute and have OCR-resistant digits, the pin would be very secure (though, if enough money is involved, a cracker would probably be ready to actually look at the image...)

Re:

[leehwtsohg]

You are right to some degree, but also wrong.

Their idea seems to be that the computer might be compromised, but the server is secure - so if the server creates the images, you can at least be secure against automated attacks - i.e. without human intervention. (because the attacker does not have access to the algorithm that created the images) This can work for as long as there are some tasks that humans can do and computers not.

If the computer is the last step in the authentication, then you are right. If y

nothing new here

[nihaopaul]

nothing new here, china has been doing it for online payments for the last few years, some are activex, some are javascript, some are java. but all i know is that they piss me off from a usability point. but in this context of a voting booth i guess it would be touch screens?

The French bank Société Généra

[fbonnet]

... in a slightly (and IMHO better) way. Try the following: go to https://logitelnet.socgen.com/ [socgen.com], then enter a bogus 8-digit client number like 12345678 in the upper left entry (below "Code client"), and validate. The system then asks for your PIN using a random keypad. Not only does the position of the keys change, but also the position of the keypad on the page. Of course it doesn't defeat screen grabbing but it's enough for mouse/key loggers.

Re:The French bank Société Gén&

[dolmen.fr]

Avantages of the Micromata solution:
- It does not require JavaScript. It just requires a mouse and the browser feature used (input type=image) is available in every graphical web browser since more than 8 years ago.
- It is quite resistant to HTTP spying, as spying HTTP POST request is not enough to replay

Re:The French bank Société Gén&

[Iphtashu Fitz]

That's virtually identical to what ING Direct does, which was discussed in a previous thread. The problem is that a sophisticated keylogger could also capture screenshots and mouse coordinates. From that the PIN could easily be determined.

OPIE

[sonicattack]

Using images as a PIN-code isn't making things much more secure, if the same images are used every time. The credentials are still sent in a way that can be logged. It's just an extra annoyance for those who want to steal your password.

I use one-time passwords for accessing my home computer over SSH. Anyone can log my keystrokes, or look over my shoulder how much they want. The password is generated by an OPIE client running on my cell phone, and is valid only once.

OPIE clients run on virtually any kind of device. Just as long as you don't run it on the actual computer which you use to access the server, this is a more secure solution.

Using OPIE on untrusted servers would still present the security problem of initial passphrase synchronization between server and OPIE client - unless the passphrase is sent to the user by some secure channel, unlikely to be snooped.

Re:OPIE - one time passwords

[BrakesForElves]

Dead on. In the face of malware and rootkits, the only secure passwords are those which can never be re-used. My personal favorite is having the secure site SMS a one-time password to my cell phone. Sure, it's a little inconvenient, but not as inconvenient as having a hacker root me with a keylogger/mouselogger/screengrabber/whatever and drain my brokerage account into his bank in Nigeria.

Yes, such a threat exists

[Opportunist]

Without breaking NDAs I can verify that such malware exists, in the wild. So far this functionality (taking screenshots) has not been used widely, but the necessary functions are there, screenshots are taken, it's just not been necessary to use them.

Picture shots would certainly increase security and raise the bar for malware writers. Current BHOs are able to manipulate the data stream on the fly, so you can never be sure what you send to your bank, and whether the data your bank sends to you is actually also displayed. With a picture, this becomes harder to manipulate.

Harder. Not impossible. Many malware BHO families are already prepared for this kind of defense and are working on a way around it (or already found a way around it). Any claim to make malware impossible is a lot of smoke screen and even more snake oil. The best defense against such attacks are still:

1. Using non-mainstreamy software. Malware is a business, target is the mass market. So the further you're from the "masses", the higher the chance that the malware can't strike you. Using Firefox instead of the omnipresent IE is a good step. Defeats a good deal of malware. Taking a step further and using a Mac or Linux almost eliminates the threat. That doesn't mean MacOS or Linux are more secure (I'll spare you and me the discussion), that simply means that their market share is smaller and thus it is less interesting for malware writers.

2. Using a brain when connecting to the 'net. Clicking everything and using mainstream apps is a surefire way to catch some kind of infection. Even with current anti-malware tools installed. No antivirus is able to catch everything (and they usually are at least one day behind the malware writers). No security tool is able to intercept all invasion attempts (Windows simply offers way too many entry points). Software is no replacement for brains and common sense.

Re:

[MichaelSmith]

Software is no replacement for brains and common sense.

Now there's a quote I can put to good use in my day job!

Re:

[Opportunist]

I prefer "There is no technical solution for social problems"

Re:

[Bardsley]

"I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?" I have seen such malware in the wild. I forget the exact name of the infection but a while back there was a virus/trojan which would begin taking screen captures when the user visited certain banking webpages, save them to a hidden directory and then attempt to email them to a remote location. The user whos machine I saw this on had a whole di

Re:

[Opportunist]

Do you happen to have those screenshots still? Would be a nice addition to my summary.

Re:

[Opportunist]

Or something more sinister.

Even though IMO some of those anti-cheat technology, along with a bunch of copy protection drivers, do qualify as malware. They exhibit a lot of behaviour that makes software malware.

a bit futile isn't it?

[Xiph1980]

I don't get it...
Why not use something like this:
http://www.vasco.com/products/product.html?product =48&VSID=6d7fc48bd716da9ea9996168a1d6880b [vasco.com]
It's a little calculator-like device, which only changes one 6-digit number into another 6-digit number. I don't know the workings behind it, but it's a unique calculation per device, and they're cheap and easy to use.
You just log into a webpage, enter the number on the back or a logincode if the number is registered to a login, input the (changing per page-re

Re:

[Xiph1980]

Not really, since the code entered to get thru is based on the code the site gives, and the internal code of the calculator. There are a million possible codes that the site can ask for (000000~999999) and each of them generates a different entry code, so the chances of the man in the middle intercepting a code he can re-use are extremely slim.

Re:

[enbody]

so the chances of the man in the middle intercepting a code he can re-use are extremely slim.


That is a correct statement, but misses the point. It would be nice for a man-in-the-middle to get a reusable value, but it isn't necessary for a successful attack. The man-in-the-middle can clean out your account during the session you have successfully set up. I saw a demo of this with a person setting up a man-in-the-middle attack on his own brokerage account using a device which generated one-time passwords f

Broken by design.

[drolli]

At least in their demo the entropy in the assignment between the coordinates and the numbers input is completely missing. Not a good "encryption" or "security" scheme.

Re:

[drolli]

What exactly makes you believe that a cesar cyper (and "rotating" the letters is nothing else) increases the security? As I said there is too little entropy in this. Would I be given the task to enhance a malware in a way that it works against this scheme i would only have to grab the first letter "button" displayed (always at the same position -> easy), compare it to all letters (easy, they do not even put noise on the buttons) and add its character value to the standard table. So the task which this p

Itaú in Brazil has something similar but bett

[Anonymous Coward]

Their scheme it like this: when they ask you for your PIN, they give you a keyboard which has buttons like [1 or 4], [3 or 5], [2 or 8], so there are five buttons. You can input your password even with someone looking over your shoulder and they won't know what your password is, because the buttons are ambiguous and the numbers are grouped randomly. They would have to be able to watch you a few times until they can be sure of your password. This reduces the search space for a brute force attack, but as the

Not secure

[dk.r*nger]

The image is a map, when you click it, coordinates are POSTed to the server, that replies with a new image.
Grab the coordinates and the image, and you can stich together the password with close to no effort.

No authentication from compromised client.

[Kadin2048]

One assumes they're doing this over SSL, so grabbing the coordinates and the image shouldn't be trivial. If you can do that, then you can conduct a MITM attack and basically the whole system is hosed; I don't think they're claiming (or, if they are, they're foolish) to be secure against that.

I'm still not convinced that you can do any kind of secure authentication if the client machine into which you type the password (whether it's typed as text or onto an imagemap or via any other means) is assumed to be u

Re:

[dk.r*nger]

They are claiming that this is secure when malware is installed as a browser helper object - I'm not even talking about grabbing the network traffic, this is even simpler, just access the DOM and go.

And the blind...

[Anonymous Coward]

Are supposed to log in how?

Re:

[pacinpm]

Provide them randomly generated hash table: 1234567890 JBFAHECGID Then ask them to enter letters instead of numbers (J instead of 1, B instead of 2 and so on). Should work OK on Braile screens. PS. I think I need to patent this.

Another Solution

[ianpurton]

If you're looking for a solution that will remain secure even with a keylogger, screengrabber, person over your shoulder or CIA microwave monitor tap try...

1. Please enter your username
2. Please enter the 2nd and 6th letter of your password.

Randomize the digits asked for in 2 and hide password fields.

Umm... nope

[Opportunist]

First of all, it's a matter of time to get the whole password. It's nice for one-time pads but then again, why bother asking for only part of it?

Second, you could redirect the transfer and execute a classic man in the middle, where you simply cut the user off the moment he logged in and take over.

Not usable by the blind

[gkearney]

At the risk of starting another flame war about why we should care about the blind...This system is unusable by the blind using a screen reader. You are unable to detect the location of the "buttons". I tested it with both the MacOS built in screen reader (VoiceOver) and a window add on (Jaws) screen reader.

So, in the U.S.,unless your looking to have the National Federation of the Blind, American Council of the Blind or the Justice Department come after you in court you would be well advised not to implemen

Re:

[Si]

the blind don't drive remeber

Well, not usually [bbc.co.uk].

obvious and bad

[idlake]

The reason people aren't using this more widely even though it's obvious is that it's also not a very good solution, for many reasons.

If you want something secure, use one time passwords or an authentication token.

And if you think you might have spyware on your computer, reinstall, preferably an operating system that is less susceptible.

what is it about voting machine companies?

[oohshiny]

While developing the Polyas (German) online voting system,

Why do those companies seem to attract the most incompetent developers?

Micromata invented a component

[sarcasm]What else did the "invent"? The mouse? Sex? Combining peanut butter and jelly?[/sarcasm] Using these kinds of inputs has a long tradition.

for secure PIN/password input via untrusted, insecure browsers.

It's not secure, not even close to it. And it has big usability problems. The approach is of some use in some applications, but for an on

Re:

[maxwell demon]

but for an on-line voting system, there are so much better things you can do, like send people a list of one-time passwords along with their voter registration card.

Or have the voter registration card be a smartcard with one-time passwords directly stored on them (protected by a password/pin which is never transmitted anywhere, not even to the computer the smartcard reader is connected to). You'd need to have a smartcard reader with pin field for online voting, but hey, if you don't want to pay for that, yo

Re:

[jackjeff]

there are so much better things you can do, like send people a list of one-time passwords along with their voter registration card.

The company being German this is all the more surprising that they did not think about using it. In Germany, one of the major banks (not to say a monopoly), named Sparkasse, uses One Time Pads for Internet access. You receive a list of pads by "secure" snail-mail, which along with your login and password, lets you have access to sensitive features of the website such money t

Secure Keyboard Idea

[nmg196]

I had this idea for a secure keyboard. You could make a keyboard (or adapter dongle) which is capable of encrypting each character you type with a public key (PGP style). Once you browse to a secure site that supports it, a browser plugin would send your keyboard the public key and the keyboard would then encrypt everything you type using that key and the browser will send the result directly back to the website. You'd have to use a protocol that lets you detect a man in the middle attack (and I'm sure they

Re:

[Iphtashu Fitz]

There's probably some massive flaw with this idea that I haven't thought of? :)

Man in the middle attacks. If they can intercept the keys then they can intercept the encrypted characters and decrypt them.

Re:

[lamber45]

Three big flaws:

1. The PGP protocol is designed for encrypting entire messages, not single keystrokes;
2. A lot of places with public-access computers don't want people plugging in their own keyboards; or at least such activity would look suspicious;
3. There is no way to securely read the response if it contains confidential information (like a bank balance or internal memo)

Now, there might be a use for a device that pgp-encrypts a message and sends it to a keyboard-dongle so so the encrypted text can be e

JavaServer Pages?

[Lethyos]

They are still widely in use, but if you are up-to-date in Java web application technologies, you are probably aware that JSP is dead. This is not a troll. JSP is rapidly being pushed out by alternatives like Facelets [java.net] (which is used to define JavaServer Faces [sun.com] views), Tapestry [apache.org], and Wicket [sourceforge.net]. All of these are XML, disallow any logic in the view (thus encouraging proper MVC), and do not require a mountain of boilerplate code to extend [sun.com]. Why anyone would use JSP these days is totally beyond my understanding.

Biggest Problem

[gwayne]

For those of use that suffer with Section 508 accessibility requirements, using this technology in voting and other (U.S.) government applications would be a show stopper. A screen reader would not be able to interpret the images, and if you put ALT="Your PIN is 1234", that defeats the whole purpose.

Malware screen grabbing...

[mikael]

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

It's definitely possible to write a screen capture program that can copy a region, window or even the entire screen. There are numerous shareware programs which will allow you to do this. Some even allow you to perform screen-grabs across the network. Even the MSDN developers CD proved an example program to do this. Other programs
demonstrate how to

Re:

[jgoemat]

But why bother grabbing the screen - most passwords just show up as *******'s anyway, so all a malware writer has to do is log keyboard events.

Because this system gets around that by not using keypresses. This system displays the numbers randomly shifted below your PIN as images. After you click on one number, it tells the server where you clicked in the image and can shift the numbers again. This way, a keystroke logger will receive zero keypresses, only mouse clicks. The previous poster was makin

Security by unavailability

[flibuste]

The demo page is full of typo errors and it just doesn't work with Firefox. Now THAT is secure since nothing goes anywhere...

Keyboardless computing?

[HTH NE1]

It seems like every time someone mentions keyboardless computing I have ten more web forms with required text fields to type into.