A Time Line and a Line in the Sand
If you're still in doubt how long key loggers have been actively deployed to steal data, you could start by checking www.keylogger.org
At least as far back as 2004 they were an active topic of concern in IT security.
Earlier this year IC3 issued an alert against Chinese Account Takeovers (pdf).
Various online reporting is adding continuously to the growing reports of the problem:
The FBI has for a long time told us not to do banking from any terminal connected to our networks, but even that advice is badly dated as too often key loggers arrive via drive-by downloads. The proper advice should be not to do online banking on a computer connected to the internet - in other words: don't do it at all.
Consumer Reports recently also added to the bad advice by repeating some twenty year old advice on creating long and complicated "strong" passwords, which dates back to the times when people thought passwords would be stolen by either guessing or remembering them. Then for a while we thought they would be cracked by some computer trying all combinations, still oblivious that it was much easier and quicker to surreptitiously install a key logger and send the data over the internet to someone who has good use for it.
Meanwhile if you search on ACH fraud and follow the lawsuits, and also if you study the recently updated FFIEC guidance, it is clear that the sad list of court cases, along with that recent guidance create some clarity where we can draw a line in the sand.
Evidently, banks can and should do more, as they are already doing in some parts of the world. But some parts are clearly to be done on the client-side, and preventing key-logging is one of them. If you study the various court cases, you would have to realize that installing GuardedID®, which is essentially a conclusive solution to the problem, also allows the bank client to draw a line in the sand, for now, if there were to be an issue with an account takeover, the client can at least present prima facie evidence that the breach most likely was not on their side, and thereby make it harder for the banks to defend their existing security as being somehow adequate. That defense is becoming shaky, right along with some renewed judicial interest in the difference between satisfying regulations and best practices in security.
At least as far back as 2004 they were an active topic of concern in IT security.
Earlier this year IC3 issued an alert against Chinese Account Takeovers (pdf).
Various online reporting is adding continuously to the growing reports of the problem:
The FBI has for a long time told us not to do banking from any terminal connected to our networks, but even that advice is badly dated as too often key loggers arrive via drive-by downloads. The proper advice should be not to do online banking on a computer connected to the internet - in other words: don't do it at all.
Consumer Reports recently also added to the bad advice by repeating some twenty year old advice on creating long and complicated "strong" passwords, which dates back to the times when people thought passwords would be stolen by either guessing or remembering them. Then for a while we thought they would be cracked by some computer trying all combinations, still oblivious that it was much easier and quicker to surreptitiously install a key logger and send the data over the internet to someone who has good use for it.
Meanwhile if you search on ACH fraud and follow the lawsuits, and also if you study the recently updated FFIEC guidance, it is clear that the sad list of court cases, along with that recent guidance create some clarity where we can draw a line in the sand.
Evidently, banks can and should do more, as they are already doing in some parts of the world. But some parts are clearly to be done on the client-side, and preventing key-logging is one of them. If you study the various court cases, you would have to realize that installing GuardedID®, which is essentially a conclusive solution to the problem, also allows the bank client to draw a line in the sand, for now, if there were to be an issue with an account takeover, the client can at least present prima facie evidence that the breach most likely was not on their side, and thereby make it harder for the banks to defend their existing security as being somehow adequate. That defense is becoming shaky, right along with some renewed judicial interest in the difference between satisfying regulations and best practices in security.
Posted by Rogier at 9/1/2011 9:14 PM 
Categories: uncategorized
Tags: key logging account takeover ic3 fbi ffiec guardedid defence prima facie breach passwords best practices
Categories: uncategorized
Tags: key logging account takeover ic3 fbi ffiec guardedid defence prima facie breach passwords best practices
Comments