Internet Banking Security - feel-good fuz or the real-deal?

One of my banks recently upgraded their website. Apart from some issues with plug-ins, session timeouts, and secret questions, they also now use an on-screen keyboard to enter passwords.

I would like to say first that On-Screen keyboards are simply a waste of time and frustration for the user, and they are an unnecessary and costly implementation for the organisation. I will tell you why soon.

"Graham Cluley, senior technology consultant for antivirus company Sophos ... argued keylogging software can beat on-screen keyboards. Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them." Original story here.


These are the steps that I have to take to get a new username and password, or if I've forgotton it:

1. Enter credit card number and pin
2. Select a username
3. Select a password with an On-Screen keyboard that has minimum 8 characters; not more than 2 of the same character in a row; at least one number; etc.
4. Re-enter the password in a second input box, with the On-Screen keyboard with the numbers jumbled in a different order
5. Select three secret questions from a drop-down list, and enter three unique answers

Then to log in, I have to enter the username and password, again with the On-Screen keyboard with the numbers jumbled; and I have to answer one of my secret questions.

A small price to pay, you might be thinking, to provide an extra level of security and make my password invulnerable to attack! Wrong. Firstly, forget the idea that just because someone can make a good argument sound convincing, that it is actually a good idea. Secondly, forget the idea that just because every bank in the world is taking steps to implement such devices, that "thousands of banks can't be wrong". I believe on-screen keyboards (and similar devices) are simply ways that web hosts make money. "Criminals are getting more sophisticated, therefore you have to pay us to upgrade your web site with an on-screen keyboard. Besides, Bank of Universe did it. Do you want to be held legally and financially responsible when someone breaks into your bank, and we show that it could have been prevented?". [Answer to rhetorical quetsions: "What? Banks financially responsible? Horror...] Thirdly, let me tell you why they will fail in any real attempt:

I would like to separate criminals interested in getting your account details into two groups:

1. Those who are doing a dedicated attack on an individual
2. Random script-kiddies exploiting worms / trojans / security holes who install a keystroke logger.

Now let me say that you have no hope of avoiding the first type of criminal. He could steal your wallet and credit card; he could install a hidden camera over your computer; he could tap your phone conversations; he could simply beat you up at night time for your money. No on-screen keyboard will stop this. (OK, to allay your concern, you do have a hope: that your criminal is not smart enough, dedicated enough, or willing to do any of these things. And in most cases, he is not.)

It follows therefore that the only criminal you can protect yourself from, is the opportunistic criminal, who downloaded some 1337 Warez, and who thinks he is a hxr.

Let me convince you that this type of criminal, for maximum yield, will most likely target the largest number of people he can. He would tire very quickly if he only targeted one person at a time, only to find Grandma's secret chocolate cake recipie; or a letter from Joe Taxidriver to the President on why children need more discipline. This means that his data will be thousands of pages long. "cool" he says, eyes glowing at all the random text, and then realises how much time this is taking away from Second Life, and very quickly your logged keys get forgotten.

Let's assume that his internet connection is down, and he has nothing else to do. He would still have to:

1. Randomly target your computer, exploit a vulnerability, and have the logger installed and running while you log into your bank.
   
2. Get the data back from the logger on your computer. Usually this is not sent straight to the criminal in question (unless he is dumber than usual) as the police would then be able to find where his computer is. So he sends it to another (perhaps compromised) machine that has no relation to him, but that he can log into and download the data from. This machine also has to be up and running, and the owner must not close the security hole before the criminal returns.
   
3. Randomly pick one out of the thousands of results that might be yours.
   
4. Find your username and password in a lot of text. This is not as easy as you think. The more data, the harder it is to find. Remember that you may type a few words in an email, enter a web address in your browser, make some notes on your toenail clippings, then enter your username and password, then go back to your email, etc.
5. Know where you used this username and password. If you use your mouse to click on a shortcut, then he can't get it from the keylogger data. He either turns to the next person, or tries to find out what your shortcuts are. Remember he is probably not logged into your computer, he is most likely analysing results, so he would have to get back into your computer and look through all your shortcuts, desktop icons, etc, until he found the right one. And just because he downloaded a program to automatically install keyloggers, doesn't mean he can a) get back to your computer and b) see your shortcuts.
   

It is highly unlikely that a great series of consequences would lead our criminal to this point. And if you want to make sure, there are some simple measures you could use to thwart him at the start:

1. Make sure your computer is up to date with the latest operating system updates. Whether you're using Windows, Linux, BSD, or anything else, they are all vulnerable to the programmer's mistakes. Update regularly.
2. Make sure you have installed a good firewall. Unfortunately, at the time of writing, Microsoft has never had a good firewall. If you can't afford one, at least use AVG Free [http://free.grisoft.com/] oh, and KEEP IT UPDATED!
3. Install Spybot Search and Destroy [http://www.safer-networking.org/] This will take care of worms, trojans, etc., that don't technically fall into the "virus" category. (and guess what? update it!)
   
4. For an extra level of security, make sure your computer isn't even directly accessible from the "big wide world web". Use NAT (Network Address Translation, look it up on google or wikepedia). If you have an aDSL router, that attaches to your computer with ethernet, then you're probably here already. If you have a dialup modem, or internal aDSL / ISDN card, then be careful.
5. Change your passwords regularly. And make them secure. This one gets bolded and italicised, because it is one of the easiest and most straight forward measures to take, and yet only the technically savvy seem to do it. How many of you use some combination of part of your name, birthday, city, or pet in your password? Even if your bank enforces on-screen keyboards, use some random words, or phrases, and characters (like !@#$%^&*;.,<>? etc.)
   
   If this is too much for you to remember, then write it down and put it in your purse / wallat. Remember, the dedicated criminal will be able to steal your purse with your money in it anway, so he won't care about some random words on a piece of paper. Make it look like a shopping list if you must.

Well here ends my rant about unnecessary security measures. I hope that you will petition your bank to remove farcical security, and let you get on with your life, instead of spending most of your time logging in.

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

-- Benjamin Franklin, 1759