|
Title: Protection against keyloggers Post by: beckspace on October 11, 2011, 03:40:07 PM Idea for
How my online bank prevents keyloggers from stealing the 6-digit PIN code: [image removed] Although this is just another step to access my account (tokens, etc.). It's a virtual keyboard with two numbers for each "click". Ramdomly placed. My thinking is that with enough length, any PIN code can be relatively safe, even on public computers, BUT, nobody wants to click a 24 characters passphrase at a virtual keyboard, so it has to be combined with another security measures: 6 or 8 numeric digit PIN-code plus passphrase field. I wonder how many "screen captures" the attacker has to have to guess the PIN-code. Anyone care to make that odd calculation? edit: It doesn't work. Take the usual precautions: don't get compromised, use Unix, don't use public computers. Title: Re: Protection against keyloggers Post by: casascius on October 11, 2011, 04:05:27 PM For 6 digits, I would say that someone who knows what was clicked will have 64 possibilities, only 1 of which is the actual PIN. It's 2^n where n=length of PIN.
Title: Re: Protection against keyloggers Post by: nibor on October 11, 2011, 09:13:21 PM The reason it works for your bank is that if you get it wrong 3 times they lock your account. So the criminal has little chance of get through.
Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer. So password needs to be much longer. Title: Re: Protection against keyloggers Post by: beckspace on October 12, 2011, 01:04:53 AM For 6 digits, I would say that someone who knows what was clicked will have 64 possibilities, only 1 of which is the actual PIN. It's 2^n where n=length of PIN. Actually, I was asking how many sessions an attacker would have to log to be able to crack the PIN code exactly, with one or two chances, at max. As a rough guess, a 6 PIN code can be cracked if an attacker has 10 - 30 sessions logged to study for patterns. So, I think this idea don't work (a virtual keyboard with dual random numeric characters) well enough, because it will be only a matter of time... Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer. So password needs to be much longer. That's right, edited. The reason it works for your bank is that if you get it wrong 3 times they lock your account. So the criminal has little chance of get through. And you have to go there in person to reactivate it. This idea won't even works for online wallets, since the semi anonymous feature is inherent in the bitcoin's system, unless you prefer to identify yourself (not so much of a concern for some folks). Heavily edited the head of the original post. This Title: Re: Protection against keyloggers Post by: vv01f on October 12, 2011, 06:28:42 AM The only way I can imagine a real protection:
Some external Hardware-Keyboard integrated with the App using kind of OTR (per session created keys for message-sending, similar to TLS in terms of website-security). But that would be expensive to create (at least the hw-part). Any other, perhaps "cheaply" achievable Ideas? Title: Re: Protection against keyloggers Post by: Pieter Wuille on October 12, 2011, 09:27:11 AM Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer. The encryption mechanism in the bitcoin client uses key strengthening to make sure an attempt costs around 0.1s (on your own system). It's possible that the attacker has thousands of units of specialized hardware for cracking passwords, but in general he won't be able to take a million guesses a second. Title: Re: Protection against keyloggers Post by: gmaxwell on October 12, 2011, 09:51:25 AM Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer. Still— the point remains, you can't get away with a six digit numeric pin here... :) |