When I log into my bank, I type in my user ID, my password, and then type in the answer to a question. It's all done on a keyboard. If I were to access my account on a public computer with a keylogger install- and chances are, if it's a public computer, a keylogger *is* installed on it- then I could lose all my money.
Several times this summer, I've received email from people who've had their email or facebook accounts hacked. Usually, it's because of keylogging. Sometimes through malware, sometimes through physical devices.
I propose the following updates.
Have a pair of on screen keyboards- manipulated using the mouse- for entering passwords. Have it work in concert with the physical keyboard. This would allow the user to remove letters from the logging data, making it useless.
Why two onscreen keyboards? To make it more difficult to use mouse logging in concert with screen capture. The keyboards can also alternate between being in qwerty and alphabetical order and move around (between entered letters) to make it impossible to gather usable data. This wouldn't cancel the need for malware blockers.
People need to be educated by their email providers to check the integrity of the keyboard cord whenever they're on a strange computer.
There are always going to be workarounds. So, in addition to the password, I propose an extra layer of security that would be activated whenever someone attempts to access an account from a strange IP address.
When you set up an account, you are shown a series of cartoons with random names assigned. You memorize the names of the cartoon faces, which are provided to you so you can't be socially engineered. You then modify the names in two ways.
For instance, you're shown a goofy cartoon face and told that the this is "Pedronimo." You're quizzed several times to make sure you've memorized this. When you access your account, you're sometimes asked to answer security questions as a refresher. You may also be asked to change the name in some way. Change, but not replace. For instance, you might use "redPonim00." You can now be asked questions based on this information. The questions are presented in mild captcha form.
"What is the original name of this person?"
"What is your version of this person's name?"
"Except for the first two letters, what is the original name of this person?"
"What are the last three letters of your version of this person's name?"
"What does this person do for a job?"
...and so on.
The keylogger may get the raw data, but not know the question- including what the face looks like. And even if the hackers got everything- including the face and the questions- you'd just have more cartoon faces than likely legitimate locations for logging in. No two face/question combinations would appear to consecutive disparate IP addresses. For consecutive visits to the same insecure IP address, you'd ask a different question about the same face.
Every once in a while, you'd learn a new cartoon face while working from a secure location and from within your email account. You enter all the information using mouse data- just in case- so that even if you're being keylogged, no one can see your answers or even infer that this is what you're doing. You have a choice about how many of these faces are used- as few as five and as many as ten or fifteen.
If a person happens to suffer from a bout of extremely poor memory, you'd have a set of backup questions which require sentence-length answers. While the exact spelling and order of words isn't essential, a certain minimum percentage of correct words is required. If you score low on one question- less than 95%, you have to answer another sentence-length question. If you can score above 90% on two, or above 85% on three, you get access to your account.
How do you keep from keylogging these answers? That's a problem. Inference of missing letters would surpassingly easy if you were to do the mixed method mentioned above. Of course the questions would be in captcha form. The only solution I can think of is that every time you successfully answer one of these personal long-form questions, it is never used again. If you get less than 85% matching on a single attempt, the question is red-flagged and no further attempts at accessing the account from non-secure IP addresses will be allowed for 24 hours.
Could someone that knows you really well answer these questions? Possibly. This places a burden on using intensely personal content and idiom. Like the cartoon faces, this is a method that would need to be actively maintained. One could put the answers (without questions) in a secure place. A secure place is one that no one that knows you knows about. If someone that doesn't know you finds the sentence, they won't know what to do with it. They won't even know the question.
A program running on your phone uses a virtual-randomization algorithm. By running a number through a series of mathematical operations (invisible to the user), and then returning a sequence of numbers based on the original. The login page offers a seed number, which you enter into the separate program, and it returns a four-digit number which is the incorporated into your password. For instance.
You're given a seed number of 59393
The virtual randomizer, which is, itself a unique program created by random seeding, returns 8702.
Your part of the password is the word "rutebega." But "rutebega" all by itself doesn't work. You have to add the first digit before the first letter and the last three digits just before the last letter. Your password, in this instance, is "8rutebeg702a" Given a different seed number, it would result in a different password.
If someone gets the letter parts of your password- the "rutebega," they still need the randomizer to get the rest.
If someone gets both your phone, and your root word, they'd be able to get access to your account. Otherwise, using keylogging would do them no good whatsoever.
To authenticate your standalone app, it would generate a long number that represents the identity of the random program that it is using to generate the seeds. Enter this on your email account to match the math. You'd only need to do this once.
And example of a random program.
Seed squared times pi, take thirteenth through eighteenth digits, divide by the current date in six digit format, take cube root of the fourth through eleventh digits, invert the answer, multiply by the square root of 2, and take the third through sixth digits. Rearrange- first digit third, second digit first, third digit fourth, fourth digit second. And that's your seed. The individual steps, constants, use of independent variables, etc. are all subject to one-time randomization.
To prevent the program from being copied, you could have a line item that uses an internal identifier, such as a serial number, as a source of a constant. Furthermore, you could make the device unusable to a stranger using your phone by having a number added to the seed. Your email account would need to know what this number is.
In other words, part of your password would be entered on a separate device.
I'm not saying that any of these ideas are perfect. All of them share the same issue of being more complicated than simply remembering a password. They wouldn't be used on secure computers, but they could be an option for questionable computers. Some of them might be considered fun. Some might appeal to those made paranoid by past experiences. Methods such as the ones I've mentioned could be provided on an optional basis. This means that hackers would go after the low-hanging fruit instead.
No comments:
Post a Comment