Anti-Keylogger Myths

Over the last few years, several technologies have been suggested in order to strengthen or replace the traditional password input field, as a result of its vulnerability to keyloggers. This whitepaper surveys the myths of anti-leylogger technologies, and pinpoints material flaws in each such technology.

2007© All Rights Reserved.

Trusteer makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Trusteer. While every precaution has been taken in the preparation of this publication, Trusteer assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

Anti-keylogger myths

Table of Contents Introduction...... 3 1. Virtual Keyboard/keypad/PIN-pad ...... 3 2. Graphical Passwords ...... 4 3. Password Managers...... 5 4. Keystroke Dynamics ...... 6 5. One Time Passwords ...... 7 6. Keystroke Encryption ...... 8 Summary ...... 8

2 Anti-keylogger myths

Introduction

The Anti Phishing Working Group, a global pan-industrial and law enforcement association, defines keyloggers as “crimeware code which is designed with the intent of collecting information on the end-user in order to steal those users' credentials.” According to the Anti Phishing Working Group there are between 200 and 300 new unique variants of keyloggers each month. The SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment last year, as many as 9.9 million machines in the United States were infected with keyloggers of one kind or another, putting as much as $24 billion in bank account assets — and probably much more — literally at the fingertips of fraudsters. According to the Anti Phishing Working Group, there were 3,353 unique websites hosting keyloggers in May 2007. It is of no wonder then that many technologies were suggested as an effort to overcome keyloggers. Most of them involve changing the way consumers sign into web applications and usually avoiding keystrokes altogether. However, the technology used by keyloggers is not limited to tapping the keyboard and can be easily adapted to evade various anti-keylogger techniques. Thus, most anti- keylogger technologies can be easily defeated using slightly more advanced keyloggers. This paper reviews the common anti-keylogger technologies and determines whether their claims are myth or reality; Or in other words, how easy it is for fraudsters to bypass each technology.

1. Virtual Keyboard/keypad/PIN-pad Stop Keyloggers

Myth or Reality: Myth The most wide-spread measure against keyloggers is replacing the physical keyboard with a virtual keyboard (a.k.a. keypad or pinpad). The virtual keyboard is drawn on the screen and instead of keystrokes, the user points at the visual key with the mouse and clicks the mouse. There are several variations to this scheme, including replacing the mouse-click with “hovering” (meaning, the user is supposed to leave the cursor over the key for several seconds instead of clicking the mouse), randomly changing the key positions and keyboard layout, etc.

Virtual Keyboard Example 1

1 Screenshot of the Microsoft Windows On-Screen Keyboard

3 Anti-keylogger myths

Virtual keyboards are very easily bypassed using screen capturing. Instead of capturing keystrokes, the attacker captures the vicinity of the mouse pointer, each time the mouse is clicked. This provides the attacker with the image of the key the user clicked. If the designation method is hovering (for few seconds), the malware can detect lack of mouse motion, and record the mouse pointer’s surrounding. This counter attack against virtual keypads is in fact already found in the wild: • http://www.hispasec.com/laboratorio/cajamurcia_en.swf (video demonstrating a trojan attack against Caja Murica bank of Spain) • http://www.tracingbug.com/index.php/articles/view/23.html (demo of an attack against Citi Bank India)

2. Graphical Passwords Stop Keyloggers

Myth or Reality: Myth Another method that obviates password typing is “graphical passwords” (or Graphical User Authentication – GUA). This is a name for a family of solutions, whose common theme is a password whose representation is graphical. The user is then required to identify the password (or parts thereof) in graphics provided by the server as a “challenge”. This challenge changes with each login attempt. In most practical solutions the user is required to identify a part of the password (an object) inside a set of graphical objects (one correct and many decoys). Choosing the correct object is typically done by clicking over it with the mouse.

Example screenshot 2 requiring the user to choose the password picture

2 From “Picture Password: A Visual Login Technique for Mobile Devices” (NIST publication NISTIR 7030) by Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers and Ryan Swanstrom, July 2003 http://csrc.nist.gov/publications/nistir/nistir-7030.pdf

4 Anti-keylogger myths

Security-wise, this is conceptually identical to the virtual keyboard. Here too, a combination of mouse-click detection with mouse pointer proximity screen recorder can easily uncover the graphical password.

3. Password Managers Stop Keyloggers

Myth or Reality: Myth Another way to avoid actual password typing is the use of a “password manager” or “password vault” software. Instead of typing the password into a form, the password manager automatically fills in the form with the correct password. The password manager stores the user’s password in a vault to keep fraudsters from accessing stored passwords. Password managers can be easily bypassed using keyloggers that reside inside the browser. While inside the browser the keylogger can see the password immediately after the password manager enters it into the login form. Keyloggers that reside inside the browser are also known as man-in-the-browser malware or malicious browser plug-ins. Browser plug-ins are very popular, both for legitimate uses (e.g. Google’s toolbar) and consequently, for non-legitimate uses (spyware and malware), piggybacking on the extensibility of the browser and the popularity of plug-ins. The browser plug-in technology grants the plug-in a lot of privileges, such as full access to the DOM (which is the internal representation of the page currently displayed), and subscription to browser events (such as “navigation”, “page load” and “form submission”). This makes it very easy for a malicious plug-in to get hold of the credentials. A malicious plug-in can access the credentials in the DOM, where they are injected by the password manager. Or, a malicious plug-in can wait for the submit event and capture the credentials during submission. Examples: • “Spy-Agent.ba” (McAfee malware description page) http://vil.nai.com/vil/content/v_139621.htm • (unnamed document) by Tom Liston, see bottom of page 4 to top of page 6. http://isc.sans.org/presentations/banking_malware.pdf Additionally, unless implemented very carefully and with security as its #1 goal, a password manager can turn out to be a security vulnerability in itself. This is due to the complexity of correctly identifying which form qualifies to be automatically populated. A phisher can exploit a flaw in the decision algorithm and present a form that will be automatically populated. The phisher can also include a Javascript code in that page that, once the form is (automatically) populated, reads the credentials and sends them to the phisher. The user in such case is kept out of the loop and the attack occurs automatically. Another concern with password vaults is the vault’s strength. If it can be easily broken, attackers would gain immediate access to all the passwords inside the vault. Examples for such flaws: • “Firefox vulnerable to Password Manager flaw”, Tom Espiner (ZDNet UK), November 22 nd , 2006 http://news.zdnet.co.uk/security/0,1000000189,39284818,00.htm

5 Anti-keylogger myths

• A two part article titled “Password Management Concerns with IE and Firefox” in SecurityFocus (by Mikhael Felker, December 11 th , 2006) discusses several classes of flaws in password managers: http://www.securityfocus.com/infocus/1882 http://www.securityfocus.com/infocus/1883

4. Keystroke Dynamics Stop Keyloggers

Myth or Reality: Myth Keystroke dynamics looks at the way a person types on a keyboard. Specifically, keyboard dynamics measures two distinct variables: "dwell time" which is the amount of time you hold down a particular key and "flight time" which is the amount of time it takes a person to move between keys. Research (http://avirubin.com/fgcs.pdf ) shows that each individual has a keystroke pattern that can be used to differentiate between the users. Keystroke dynamics authentication checks the user’s keystroke pattern, in addition to the password. If the pattern matches, access is granted. From security stand-point, keystroke dynamics is inherently flawed since it relies on a user property which can be measured and mimicked by attackers. An attacker can study the user’s keystroke dynamics and then replay or imitate them. Two ways of executing such an imitation include the following methods: a keylogger that sits on the user’s machine can record keystrokes, dwell time and flight time and then transfer this information to the attacker. Once the attacker signs into the website on behalf of the victim, the same keystroke dynamic is used. The second method involves a phishing website. The attacker can set up a phishing website that not only grabs the user’s username and password but also records the user’s keystroke dynamics using a very simple JavaScript code. The attacker can then use this information to sign into the real website using the correct password and the correct keystroke dynamics. Here is an example of how keystroke dynamics can be recorded via a simple web page (standard HTML+Javascript, tested with Microsoft Internet Explorer 6 and Mozilla FireFox 2.0):

Type some text in the following box:
<p>6 Anti-keylogger myths </p><p> onkeyup ="return record(event.keyCode,'KEY-UP')">

Your keystroke dynamics:

Moreover, there are several usability drawbacks to keystroke dynamics: • Keystroke dynamics require a learning period, in which the individual signature needs to be recognized by the algorithm. This usually requires numerous keystrokes. If only the password “signature” is needed, then about a dozen repetitions of password typing may suffice. This means that the user will either be required to type the password a dozen times during a dedicated learning session (which is intrusive and annoying), or the learning will occur during normal logins, i.e. be spread over several months (maybe even a year), during which time the user is still exposed to attacks (since the signature is not yet extracted). • The user’s keystroke dynamics may change in time (aging), or due to sickness (tremor), weakness, slowness (fatigue), and so forth. • The user’s keystroke dynamics may change due to a different input device (different keyboard). For example, using a different computer (cyber- café), or different keyboard layout (US vs. some European countries), using the user’s laptop vs. his/her desktop. • Keystroke dynamics, and biometrics at large, have a fundamental problem of revocation. That is, once the user’s biometrics are compromised somehow (maybe at the user’s side, maybe at the server’s side), it’s impossible to revoke the current user’s biometric signature, and assign the user a new signature.

5. One Time Passwords Stop Keyloggers

Myth or Reality: Reality (almost) One Time Passwords (OTP) replace the traditional static password. Websites that use OTP require that users enter a different password on each login. The user can get the password from a software installed on the computer (a.k.a. soft tokens), which is a hardware device that generates a new password upon request or on each time interval. Such new password is sent via SMS or email each time the user tries to sign into the website, or is provided as a scratch card to the user by the website. Theoretically OTP do block keyloggers. If a keylogger tries to log the user’s password, it would log the OTP which is useless on the next login. The attacker cannot use this information to gain constant access to the user’s account. The attacker can attempt to break the OTP algorithm and anticipate new passwords however most OTP algorithms are very forceful and cannot be easily broken. However, the attacker can use a very simple attack against OTP systems that do provide access to the victim’s account. This attack works as follows: when the user tries to sign into the website the keylogger logs the OTP and immediately sends it to the attacker. The keylogger also prevents the user from logging in either by stalling the connection or reporting an error and asking the user to retry. In the same time, the attack uses the OTP it received from the keylogger to sign in on behalf of the victim and perform fraud. The victim then tries to sign in

7 Anti-keylogger myths

again using a new OTP and succeeds. This attack can be executed each time the user tries to sign into the website. Thus the attacker gains constant, long-time access to the victim’s account, only without being able to control access times.

6. Keystroke Encryption Stops Keyloggers

Myth or Reality: Reality A totally different kind of solution against keyloggers consists of preventing keyloggers from capturing keystrokes (or at least, the “correct” keystrokes) by encrypting the keystrokes while they travel from the keyboard. Theoretically this is the strongest solution available against keyloggers. The keylogger is unable to read the correct password. The encrypted password is useless and cannot be used by the attacker to access the website. However, keystroke encryption solutions differ from one to another. Most solutions only encrypt traffic from the keyboard driver to the browser. When the traffic enters the browser it is decrypted and stays in the clear from this moment on. Thus an attacker can place a keylogger inside the browser (a.k.a. man-in-the- browser or malicious plug-in) and read the password after it has been decrypted. Rapport from Trusteer implements a more vigorous keystroke encryption using its patent pending technology. It encrypts the password at the keyboard driver level but decrypts the password outside the browser, at the network level, at the same place where the traffic is being SSL encrypted and submitted to the website. This generates an end-to-end encryption, from the keyboard and all the way to the website. A keylogger cannot read the password even if it resides inside the browser as the password is kept encrypted the entire time. Summary

Keyloggers are a serious threat which requires a tough solution. Many anti- keylogger technologies can be easily defeated by slightly more advanced keyloggers that are already in the wild. Virtual keyboards and graphical passwords can be easily bypassed using screen capturing. Password managers and semi-encryption technologies can be bypassed using keyloggers that sit inside the browser. Keystroke dynamics can be bypassed by keyloggers that log typing patterns. The only real solutions against keylogging are One Time Passwords (OTP) and end-to-end keystroke encryption. OTP allows the attacker to grab one-time-passwords and enter the account occasionally while end-to-end encryption provides a robust solution that genuinely protects passwords from stealth.

8 Anti-keylogger myths

About Trusteer Rapport

The Rapport Protection Layer from Trusteer takes a revolutionary new approach to consumer security by eliminating the root cause for all client-side attacks. The Rapport Protection Layer is a very "lightweight", small "footprint" application (330k) which requires no user interaction. Once downloaded, Rapport runs completely in the background, and effectively disables the "last mile" attacks which cannot be directly controlled by existing conventional applications on the desktop or by remote fraud-detection and authentication systems. Rapport protects against: phishing, pharming, keyloggers, man-in-the-middle, man-in- the-browser, and session hijacking attacks. www.trusteer.com [email protected] +1(646)247-5669

9