So how do you create a website that is safe from keystroke loggers and then like when the user may be using a public terminal and you can't secure the terminal. So far my bottom line conclusion is - you can't. (underlying assumption is that you don't wish to require millions of customers to buy special hardware like a security token). If any infiltrator can install a software keystroke logger, they could also install their own version of the browser, and with it any subversions they wish.
But what could be done to make things more difficult.
A virtual keyboard for entering a password (click keys with mouse)? This would help, unless the infiltrator is intercepting gui events and can dicipher what the mouse events correspond to. Also would be exposed to video camera over the shoulder.
One-time-passwords? Every time you logon you are provided with the password to use next time. Although that would work (mostly), it wouldn't be very popular - customers would forget.
Mouse based signatures. There is new research on this from the UK which suggests that mouse ballistics could work well as a 'signature'. Would have to devise a means to use it from a web application.
What do you think?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment