Re: Defeating keyloggers with encrypted one time passwords (a patent spoiler?)
- From: Sebastian Gottschalk <seppi@xxxxxxxxx>
- Date: Mon, 26 Dec 2005 03:17:57 +0100
(Sorry for dragging up this thread but..)
First; those one-time passwords are in use at many Swedish banks that have customers logging in from the internet to pay their bills. You get a small harware box for 2-factor auth when you get your internet bank account. I also read somewhere about a 2 factor solution that did challenge/response over the mobile phone network (which is rather cool)
There ARE programs that effectively can block keyloggers based upon API functions say SetWindowsHookEx(), see:
There are keyloggers which simply hook such pograms themselves. And then simply hook back their original hook.
The better ones simply install their very own drivers. Or hook the kernel.
The question is: Can that kind of program be told to "do not disturb the user" and block untrusted software from creating global hooks... we will see.
Minding the certain a flash of many so-called security software, most of the users see such a disturbance as a sign that the program is working - conversingly, no such disturbance must be a sign that the program isn't working very good.
Cutting/Pasting passwords into clipboard is also attacked by some keyloggers, so using OSK.EXE or Charmap.exe is not safe either..
It's one of the safest things today.
IMO, The BEST thing would be to intercept API calls and (while running) introduce false positives to potential keylogger applications since YOUR application will be able to tell the difference between what is desired input and what is crap.
IMO the BEST thing is to not run any keylogger at all. Is booting up the system from a Linux Live-CD really that hard?
- Prev by Date: Re: Use of CRC to verify encrypted data integrity
- Next by Date: Re: Use of CRC to verify encrypted data integrity
- Previous by thread: Re: Defeating keyloggers with encrypted one time passwords (a patent spoiler?)
- Next by thread: Re: Defeating keyloggers with encrypted one time passwords (a patent spoiler?)