Hi Guys,
I have been reading the forums for a while and know that it's best not to type information into insecure PC's. HOWEVER, I am planning to travel early next year and need to work out the best/safest way to access a bank account to check funds and transfer money. Keepass 2 looked to be the answer, but needs .NET to work, which I cannot be sure will be installed. So how can I make myself as safe as possible to beat keyloggers etc.
Any help please.....I need to find the safest solution possible. Not using public PC's is not an answer.
Cheers, and thanks.
Richard
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
Keepass 2 better than Keepass 1 ?
I know Keepass 2 is the newer version but I think Version 1 is pretty good too.
And against Hardware-keyloggers, there isn't anything you could do anyhow
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
You can use the virtual keyboard to get around hardware keyloggers. And copy/paste from KeePass into a browser to get around em a bit. And ClamWin to scan for viruses/malware that may log.
Sometimes, the impossible can become possible, if you're awesome!
Having been to the keepass site I came accross the following.
Which is the thing i was referring to.
Richard
--
Is Auto-Type keylogger-safe?
KeePass 2.x Only
By default: no. The Auto-Type method in KeePass 2.x works the same as the one in 1.x and consequently is not keylogger-safe.
Anyway, KeePass features an alternative method called Two-Channel Auto-Type Obfuscation (TCATO), which renders keyloggers completely useless. This is an opt-in feature (because it doesn't work with all windows) and must be enabled for entries manually. See the TCATO documentation for details.
Linux Live Disc, all the way
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
but it might be hard convincing the Guy in the internet-cafe to let you reboot the PC. And it wont help against hardware keyloggers.
I didn't know Virtual Keyboard would help against them either.
"What about Love?" - "Overrated. Biochemically no different than eating large quantities of chocolate." - Al Pacino in The Devils Advocate
Copy/Paste is as easy to log by keyloggers/spyware as is logging what you type.
Not all keyloggers trap the clipboard. And I think some do it based on CTRL-V so right-click and paste would get around it.
Sometimes, the impossible can become possible, if you're awesome!
I still need to find a usable way of gaining access to accounts....
Could I use a portable scanner (any suggestions) to look for software keyloggers and then if that is clear use Johns idea of copy and paste to beat hardware systems???
Thanks for your suggestions.....
Keep them coming
Richard
If you can't trust the machine, you can't trust the machine. There's not much you can do about it.
Someone who has physical access to the machine (e.g. the Internet Cafe's owner) can do all sorts of things to it, from hardware keyloggers to various low-level monitors. Even booting with a LiveCD wouldn't get around a hardware keylogger (though copy and paste, or an on-screen keyboard, would be a fairly decent workaround against a hardware keylogger).
John mentioned ClamAV Portable, which can scan for lots of things. I believe to be most effective it needs to run as an Administrator, which might be problematic especially for spy programs running at the deepest level in the operating system.
Your best bet is to use only the machines you trust most for your banking. Or get your bank to use something more secure than a reusable password, whether it is some sort of token or a challenge response to your cellphone or whatever. There are lots of ways to do it that are fairly good, and most don't involve asking you for your first grade teacher's name, which in any case is reusable.
MC
where will u work?
on computer in company or netcafe or where?
most save way would be u make a bootable usb or cd with linux, and on it wine for emulating net framework and boot u r own os.
or maybe u think about to buy a very cheap and small pc like eee and use this for u r work, which u can plug via rj45 or wlan in most webcafes, hotels and and and....
think about alternatives to the systems in your environment
when u plug ur drive and enter some confidential passwords, specially from bank there is always a risk to get sniffed. take care u use the real bank site by checking the certificate when u go on bank sites from other countries because of phishing and bad dns servers.
A single death is a tragedy; a million deaths is a statistic.
There is a KeePass add-on called KeeForm that will fill in the fields with the appropriate entries that does NOT use the copy/paste method. It is more secure than the autotype method and is easy to use.
KeeForm is compatable with KP1 and 2.
I think that you might look into using a flash drive called IronKey, which you can find at https://www.ironkey.com/, and/or YubiKey (http://www.yubico.com/), a one-touch USB key that lets you log into a web site (banks, forums, web-mail, etc.) if that site accepts the YubiKey. You can load PortableApps and KeePassPortable on the IronKey, and by using the built-in Firefox browser with Secure Sessions turned-on, bank securely, and even use copy-paste, and ScreenKeyboardPortable too, to enter your IDs and passwords until the IronKey does it automatically in the future. It's pretty hip. Try it.
This is unrelated to the current topic as neither of these do anything to beat keyloggers or other compromised PCs. IronKey does nothing to thwart keyloggers. And Yubikey doesn't work with most sites, so you're still just submitting a password. You're just as vulnerable.
Sometimes, the impossible can become possible, if you're awesome!
Would it help to defeat hardware keyloggers by taking along your own soft silicone keyboard? Curious to know and would appreciate any feedback on this.
Seem small and compact enough to carry that it is not an issue.
It'll still send the same key signals, which is what are detected.
I am a Christian and a developer and moderator here.
“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1
So is this saying that if I take along my silicone keyboard and plug it USB that a hardware keylogger will still log the keystokes? I thought that hardware keyloggers were a physical device between the USB port and the USB keyboard cable. Any keystokes on a different USB keyboard would not be logged true?
OR are there numerous other hardware keyloggers that are not at the USB port / USB keyboard junction ?
I would think that you could be reasonably safe with a USB silicone keyboard and a copy paste method described above to beat software keyloggers. Hmm or not!
I'm not too familiar with hardware keyloggers (or software for that matter) but there are three places it could be: inside the keyboard, between the mobo and the keyboard, or inside the case. The best ones would be inside the case and work independently of the OS, and record so long as there's power.
And this goes back to my abstinence theory and analogy. The best way to beat a hardware keylogger is to not use the machine.
Actually it's the only answer.
Think of it like sex. You're you and the public computer is your prospective partner. We won't get into what your flash drive is. With information security, much like sex, most folks just jump in and if something goes wrong they deal with it as it comes. And like there are a lot of threats out there (hardware keyloggers, software keyloggers, rootkits, stuff you might not know about), it's the same for the other as well. STDs, guilty feelings, the possibility of pregnancy.
Ergo, the only surefire way to stay safe is to not take the risk. If you take the risk, no matter how many precautions you take, there's still a risk, however small. Especially with information security. The dishonest stay a few steps ahead of, well, if not always the honest, at least the self-righteous. Have the RIAA had a single major victory over piracy? Aren't they still going after Kazaa as if anybody uses it anymore? So if they really want your personal data, they're gonna get it.
And, even though it fits, sorry for the crude analogy. I've been watching House.
Saw a comment above about not been able to reboot a machine. What about Ubuntu Portable Ap OS. You can install to a USB or SD Card and run from within Windows. Gets you around software loggers true?
Like most things in security, it's a yes, but. Booting into your own OS will get you around any software keyloggers installed on the PC's OS. But it won't get you around hardware keyloggers. And most public PCs are configured so you can't boot from CD or USB.
Sometimes, the impossible can become possible, if you're awesome!
The first thing you need to know is what threat you want protection against. If the NSA or the KGB are after your password, then a laser beam pointing at the glass of your home's window can act a microfone detecting the sound each key in your keyboard does, and as each key has a slightly different sound, it acts as a key logger. I've also read about methods to see your screen from a van parked in front of your house. And, no, it's not science fiction, I've read about this methods, or at least the possibility of developing them from serious sources.
But then again, if it's just a normal cracker/script kiddie who is not specifically against you, but just hunting for anyone to hack, crack or rob, then you need to remember "You don't need to be faster than the fastest lion, just faster than the slowest gazelle"
Now, assuming the NSA isn't after you, you're expecting just a bunch of normal threats:
1) Software "input loggers" (might be logging keyboard, clipboard, and even mouse movements).
2) Hardware keyloggers. Same stuff but done in a chip between the input source and the motherboard. This can be a little device on the wire of the keboard (but inside the casing) or between the USB plug and and the USB socket, or inside the computer's casing between the motherboard and the USB socket (specially the ones at the front of the box, removed from the motherboard)
3) Sniffing (reading everything you send over the network), DNS poisoning (making the DNS take you to a clone of the bank's page instead of the real one) and a million other threats from outside the computer where you're working.
With a good clean, trusted browser (e.g.: Firefox Portable) and a decent banking page, plus a bit of user education (should I have said "user" or "your, sir"?) number 3 should not be anything to fear, at least not any more than from home.
Using a clean operating system, such as a bootable USB or a Linux Live CD, protects you from anything that's software on the computer you're at. But it's difficult to get the CyberCafé owner to let you use one of those. After all, for all he knows, you might be the one who's trying to install a keylogger on the computer.
Trying to detect keyloggers and the like is never going to be 100% safe because there is always going to be some software that your soft can't detect (though it might be safer than just typing without even checking).
About hardware... you can't do anything about it, except use another computer.
So, no, again, you can't outrun the fastest lion.
But if you really must use homebanking from a public PC, you can make it hard for them to get your key. A simple but rather efective way to do this is:
Open a web page with content that is continually changing, or chat for a while with a friend.
Then copy by selecting with the mouse + right click + copy one letter from your password at a time and then paste it in the password box, again with the mouse. Do this out of order. i.e.: if your password is AbCd, find a "C" on the page/chat/whatever and paste it. Then a "b". etc. It takes time and a lot of focus to do it right, but it's really makes it hard to get your pass.
Notice that someone logging what you type would know what page you used, by tracking your mouse they would know how much you scrolled, and where you copy-pasted, and by tracking your clipboard they would know what letters you copied. And they could also be using something similar to pcAnywhere or VNC (but clandestine, like sub7) to make an .avi of everything you do during your session.
But you do realize any of this would be a lot harder for them than you just typing your password for the keylogger to record. So with that, you'll probably be "safe enough"
Someone suggested asking the bank to provide a token.
A token is a little thing the size of a pendrive with a button and a screen. When you press the button it gives you a number (like 6 digits) that you need to type together with your password and is only good for one minute or some other similarly short time. Let them log the number, in 30 secs it's no good anyway. That would considerably improve on the security level, but I don't know if you'll find a bank that uses that for "normal" accounts. (There are still ways around this, but not anything a script kiddie in a cybercafé will have).
So there you have some panorama of what tricky ground you're treading with this. Welcome to the fascinating world of IT (un)security.
Regards:
Wences
I agree about the bank, except I think it is critical that banks -- and the Internet as a whole -- get away from reusable passwords.
It feels like the bank's current strategy is to use Javascript to erase the password you carefully had your home browser save in a password-protected security device, and making you tell it your first grade teacher's name (or some other information "only you would know") every couple of weeks. The first just makes it more likely you'll have a weak, memorable password, or write your strong password on a piece of paper stuck to your computer. In other words, it's not really making things better. The deal with the first grade teacher's name is that it is reusable. It is also researchable, if you use the real name. Those make it very weak. In other words, the things the banks are doing to make you THINK you are more secure are actually making you somewhat less secure.
Reusable passwords are becoming a really weak link, and not just for banking. It's time to graduate the whole Internet to the next level of access control.
Now if I could only patent it and convince everyone to change, I'd be in good shape.
Note that doesn't solve some of the other problems of keylogging, like getting personal information, account numbers, etc. It just prevents the keylogger from getting a reusable password. But it would be a start.
MC
If you just have web sites that require login details you can use Roboform or SignUp shield to store the login details in an encrypted database and enter these details into the web forms in a secure manner. They both provide one-click-logon to web sites such as banks and web-based email with having to type anything (except a Master password). Free versions of these apps are limited to 10 entries.
Although these store personal details in an encrypted database in a manner similar to KeePass they only work with form-based web sites, whereas KeePass will function with any Window requiring input. The portable version of Roboform (Roboform2Go)is my preferred tool as it accommodates FirefoxPortable as the preferred browser.
I use KeePass as the database to store EVERY personal detail, Roboform for web-based login details.
porteri, I would be very grateful if you would explain why you need Roboform... I thought KeePass could do web logins as well.
I use Roboform over KeePass only for web logins; ironically I used KeePass to login into this forum.
Reference to KeePass refers to v1 and applies to KeePassPortable.
Firstly: Depending on the application, keyloggers can capture keystrokes, mouse movements, the screen and clipboard entries, so all these should be assumed to be in play on the untrusted computer. The keyloggers are usually idle during inactivity and start the capture process when there is keyboard or mouse activity. So, to minimize capture we should minimize these actions and this can be achieved by using single-click launching.
KeePass:
KeePass launches the default browser, usually IE, when selecting the URL. This can be overridden by the {FIREFOX} parameter but it only applies to an installed copy of Firefox, not FirefoxPortable (unless you specify the {CMD}parameter and enter the path to FFP, but this does not handle the changing drive letter associated with USB drives).
The auto-type feature uses the copy-paste method to the clipboard. Even with the security features which apply to the clipboard (single paste or clear after specified time) the data can still be captured. Using the KeeForm plugin overcomes this issue by providing single-click functionality and uses a direct paste method, but it only works with IE, not Firefox, and entries have to be configured to use it.
Finally, all entries have to be manually entered into KeePass.
RoboForm:
Purpose built for web page entries it provides single-click functionality. It lets you select the preferred browser (default, IE, Firefox or FirefoxPortable) and will launch the preferred browser automatically, then fill in the fields.
Auto-fill uses a direct paste method and can be used for any fields, ie credit cards, personal details, login details etc.
When entering the passphrase to unlock the database, a built-in soft-keyboard is available which pastes directly into the application.
Automatically saves the data from forms into the database. Fill-in the form (on a trusted computer) and select save. The URL and all fields will be saved into the database. No manual entry required.
Can synchronize between installed and portable versions easily.
A couple of issues do exist with respect to portability: RboForm2Go copies data to the temp directory and removes it upon correct closure. It does leave some files behind but these do not reveal anything except that it has been used. I use Portidy to remove these. The second issue is that it prefers to be in the root directory of the USB drive. It will work in lower directories, eg \PortableApps\Roboform, but will not automatically update.
To summarize: I use KeePass frequently on trusted computers, but for untrusted computers I will use RoboForm for the extra security.
Cheers,
Jeff.
Thanks Jeff for the detailed reply.
Isn't it a shame that KeePass hasn't been enhanced to do the same as RoboForm or that RoboForm can't be used to keep the information you keep in Keepass? Seems to me they both do similar jobs and it would be easier to handle if one could just use one or the other... or have I not fully understood?
Cheers,
Roger.
get the Texter utility and for every key on the keyboard, say to type a different key. That way, while the keylogger will get the key you really typed, wherever you're typing it into will get the key that you actually wanted, thus thwarting any attempt to get your password using this method because you didn't actually enter your password.
It takes some getting used to, but you can always make a paper keyboard with the actual keys that you are entering, but not in an obvious way, so that anyone who got access to that paper couldn't get your personalized keyboard.
For example, you could substitute the a key for the letter x, and then on the paper, where the a key should be, you write 24 (x is the 24th letter of the alphabet.).
Again, it takes some getting used to, but it is, as far as I know, the best solution.
Nothing is as it appears...or is it?
Wouldn't help much. If someone's out to see what you type, they will certainly see it. Not to mention how much of a nuisance and an unnecessary headache it would pose. Also, this thread is several years old now. Need custom, keylogger-free keyboard? From what I've read thus far, Neo's SafeKeys keyboard version 3 is the best program in that realm. It does what you suggest, but on a whole new level. http://www.aplin.com.au/
Understand that whatever info you type into a form and send over internet, it can be intercepted and seen in a variety of places along it's way. The same goes for data that is transmitted back. And your unsecured cookies, even if you login via https page. And so on and so on.
Afraid of loggers? Afraid of cameras behind your back? Afraid of TEMPEST attacks and monitoring? Afraid of forensics checking out your hard drive? Fear not! Use Tin Hat Linux, Tinfoil Hat Linux, or anything from that family...
Sarcasm? Yes. But I didn't make them up...
http://en.wikipedia.org/wiki/Tin_Hat_Linux
http://en.wikipedia.org/wiki/Tinfoil_Hat_Linux
My posts are old and likely no longer relevant.
If you're going to go through the trouble to make a false keyboard layout using something like texter, you may as well set each key from another (already existing) layout (e.g. Dvorak) to type the key from your layout (e.g. QWERTY), then you could still look at the keys on the keyboard if you aren't sure where a specific character is, and still get as much security as your way, you'd just have to remember to switch to the right layout before starting Texter, and put it back when you're done (most people don't like it when their keyboard layout is unexpectedly different).
(though as was stated by dboki89 there are easier solutions that supply better security if you don't mind paying a little money.)
~3D1T0R
Ummm, as I understand, the problem lies within the entering of the password. So a possible idea could be to take your own copy of firefox on a stick, with all the passwords needed allready saved within. Thus you wouldn't have to type them in any more, just click login where you want to login. To keep the stick save from being stolen, you could also encrypt it with TrueCrypt Portable.
But I guess this solution also comes with problems, which are:
1) The whole copy of firefox could secretly be copied, together with all your login-data. -Is there some kind of portable firewall that monitors every action regarding my USB Flashdrive and can block some?
2) Saved Passwords can be easily read out through: Settings / Security / Saved Passwords. Thus a potential attacker wouldn't even need to copy the whole program. -If this function could be protected with some other password this issue would be solved.
3) Firefox won't let you save Bank-Account-Passwords or your Paypal password. -Can this be changed somewhere within firefox' options?
Problem lies in this - keyloggers can (or at least should be able to) see entered data even if it's auto-typed by some ordinary program. When you click your "login" Firefox just auto-types your password for you, practically the same as if you entered it yourself.
1) Such "portable firewall" isn't possible and can not exist on current versions of Windows.
2) Yes, that other password is called Master Password, and it already exists in Firefox. Other than that, the passwords can be read even without launching the program, unless you use a Master Password.
3) Works For Me.
My posts are old and likely no longer relevant.
@dboki89: FireFox's built in AutoFill feature does not "auto-type" anything, it is completely self-contained (no data leaves FireFox), thus it would be completely invisible to your average run-of-the-mill KeyLogger.
(I suppose it might be possible to write a program specifically for the purpose of logging AutoFill information from a browser, but it would be very difficult [especially in FireFox's case, since it's entire GUI is XUL based], and you'd have to find a new way to capture the AutoFill data from each of the major browsers, and people would probably notice and patch the security breach, so you'd have to constantly be finding new ways to capture the AutoFill data from each browser.)
@Xevailo: Using a Portable Browser (e.g. FireFox, Opera, Chrome, or MaxThon) should prevent your average KeyLogger from picking up each individual Password as you type it into the site it's for, however as you pointed out this solution isn't perfect either.
My responses to your 3 issues with this solution:
But then (with a Master Password) you still have to type in a Password (to be able to access the others), which gets us back to what's discussed in the rest of this thread.(○
•:)≡P.S.
@ anyone who has access to fix these: The short urls for Opera, Chrome, and MaxThon, are 404 pages, could URL Redirects be added to point these to The Proper Locations.
~3D1T0R
Right, Master Password encrypts stored passwords, otherwise they are stored in plaintext. It was implied in above post.
You're also right on auto-type vs. autofill. Auto-type is intercepted by keystroke-capturing keyloggers, and autofill can evade these. But think about DLL injecting loggers (
That's without adding that loggers come with screen-scraping options, making a screenshot every X seconds. Without mentioning that you're using a STRANGER's computer, on a STRANGER's network. Network admin could monitor and log all web traffic, MitM attacks are likely (and easy for the admin via ARP and DNS poisoning), malware infecting your portable apps is also an option... Loggers are just a part of the puzzle, and very successful at that.
SetWindowsHookEx(whatever)). These can intercept autofills and virtual keyboard presses, and if implemented in a serious enough manner, even my lovely drag'n'drops. If a simple autofill was able to trick keyloggers, that would have been great. Then such advanced tools like Neo's SafeKey Keyboard would not have existed, above-mentioned OSes would not have existed, and cybercriminal would be non-profit.Please don't take this personally, 3d1t0r, I appreciate all your corrections.
Xevailo, what I'm trying to say is - Don't trust that the PC is clean? Then don't insert sticks with confidential data. You are not and can not be secure from misbehaving admin and/or malware just because you're using PortableApps...
My posts are old and likely no longer relevant.
Just to finish up, a year later...
For xferring funds, you might want to go into a bank (a branch of the recipient or of the source of funds). Why bother doing that on the net if it can be done directly... If you're going to be doing a lot of xfers, then set up a separate temporary account and move money to it in advance and then use only this account with online access from a café. Anything goes nuts and a call to the bank will xfer everything back to your real account. But you must set this up in advance.
For a general idea of whether your funds are disappearing in unexpected or unauthorized ways, the Yodlee (viz: Mint; Overview; etc) accounts view on-line _does_ expose info about all of your accounts (at least those you've entered - doesn't need to be all of them). So what if someone breaks into that site - your account information is available to anyone with your account numbers from checks or credit card receipts. Even if they see you have a delicious balance at several banks, there's nothing they can do to xfer or withdraw funds. Not an option with Yodlee.
So set up your checking account and accounts for those credit cards you'll be carrying and use one of the Yodlee powered services to check while you're on travel (your bank probably has one of its own). If anything goes wrong here, you have some guarantees that you simply can't avail yourself of if you've gone into your account directly from a web café. You've used qualified service access that guarantee privacy, after all.
Hope this helps.
This sure has been a useful thread for me (and my banker).
carls