On Fri, 2005-12-02 at 10:18 +1100, mz4ph0d_at_gmail.com wrote:
> That would at least stop two of those problems, those being
> basic keylogging, and screenshots of the hotspot on click.
Why wait for a click? The attacker can just record all screen activity
in an AVI file and upload that. No need to wait for clicks.
Other options would be audible passwords, but the attacker could also
records all sound.
There might be optical effects tricks that could be employed that play
on things like the latency of a retina or whatnot. Flash a series of
random numbers on the screen while giving one number a bit longer time.
The pattern might appear to the human eye like that number, while it
*may* defeat screen recordings. (frequency of display changes and
attacker recording screen data would be the same for the attacker to
interpret the visual effect exactly like the user).
At the end of the day, one-time-passwords for login *and* transactions
are probably the only real solution to prevent replay and mitm attacks
(the latter using OTP hashed transactions).
Cheers,
Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Dec 02 2005
Intro
