Bitcoin Forum
December 03, 2016, 03:41:07 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Protection against keyloggers  (Read 896 times)
beckspace
Sr. Member
****
Offline Offline

Activity: 385


Aimed at Jupiter


View Profile
October 11, 2011, 03:40:07 PM
 #1

Idea for online wallets, bitcoin client wallet encryption or 2-way authentication.

How my online bank prevents keyloggers from stealing the 6-digit PIN code:

[image removed]

Although this is just another step to access my account (tokens, etc.).

It's a virtual keyboard with two numbers for each "click". Ramdomly placed.

My thinking is that with enough length, any PIN code can be relatively safe, even on public computers, BUT, nobody wants to click a 24 characters passphrase at a virtual keyboard, so it has to be combined with another security measures:

6 or 8 numeric digit PIN-code plus passphrase field.

I wonder how many "screen captures" the attacker has to have to guess the PIN-code. Anyone care to make that odd calculation?


edit:

It doesn't work. Take the usual precautions: don't get compromised, use Unix, don't use public computers.



You guys have really come up with somethin'
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480779667
Hero Member
*
Offline Offline

Posts: 1480779667

View Profile Personal Message (Offline)

Ignore
1480779667
Reply with quote  #2

1480779667
Report to moderator
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
October 11, 2011, 04:05:27 PM
 #2

For 6 digits, I would say that someone who knows what was clicked will have 64 possibilities, only 1 of which is the actual PIN.  It's 2^n where n=length of PIN.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
nibor
Sr. Member
****
Offline Offline

Activity: 348


View Profile
October 11, 2011, 09:13:21 PM
 #3

The reason it works for your bank is that if you get it wrong 3 times they lock your account. So the criminal has little chance of get through.

Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.
So password needs to be much longer.

beckspace
Sr. Member
****
Offline Offline

Activity: 385


Aimed at Jupiter


View Profile
October 12, 2011, 01:04:53 AM
 #4

For 6 digits, I would say that someone who knows what was clicked will have 64 possibilities, only 1 of which is the actual PIN.  It's 2^n where n=length of PIN.

Actually, I was asking how many sessions an attacker would have to log to be able to crack the PIN code exactly, with one or two chances, at max.

As a rough guess, a 6 PIN code can be cracked if an attacker has 10 - 30 sessions logged to study for patterns.

So, I think this idea don't work (a virtual keyboard with dual random numeric characters) well enough, because it will be only a matter of time...

Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.
So password needs to be much longer.

That's right, edited.

The reason it works for your bank is that if you get it wrong 3 times they lock your account. So the criminal has little chance of get through.

And you have to go there in person to reactivate it. This idea won't even works for online wallets, since the semi anonymous feature is inherent in the bitcoin's system, unless you prefer to identify yourself (not so much of a concern for some folks).

Heavily edited the head of the original post. This only neither works well with physical banks (because of the "10-30 sessions logged pattern recognition" problem)!

You guys have really come up with somethin'
vv01f
Sr. Member
****
Offline Offline

Activity: 314


View Profile
October 12, 2011, 06:28:42 AM
 #5

The only way I can imagine a real protection:
Some external Hardware-Keyboard integrated with the App using kind of OTR (per session created keys for message-sending, similar to TLS in terms of website-security).

But that would be expensive to create (at least the hw-part).
Any other, perhaps "cheaply" achievable Ideas?

donations to me please send via bitcoin 1vvo1FDwSAwNdLVA1mFkM7v76XPZAAUfb
a good European exchange: bitcoin.de (ref-link)
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1036


View Profile WWW
October 12, 2011, 09:27:11 AM
 #6

Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.

The encryption mechanism in the bitcoin client uses key strengthening to make sure an attempt costs around 0.1s (on your own system). It's possible that the attacker has thousands of units of specialized hardware for cracking passwords, but in general he won't be able to take a million guesses a second.

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2016



View Profile
October 12, 2011, 09:51:25 AM
 #7

Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.
The encryption mechanism in the bitcoin client uses key strengthening to make sure an attempt costs around 0.1s (on your own system). It's possible that the attacker has thousands of units of specialized hardware for cracking passwords, but in general he won't be able to take a million guesses a second.

Still— the point remains, you can't get away with a six digit numeric pin here... Smiley
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!