Mervin Pearce, CEO of Security Audit and Control Solutions, a "white hat" or ethical hacking company, has given ITWeb freely downloadable software that recovers passwords obscured by asterisks or entered on keypads.
Pearce says his software monitors hardware keyboard strokes and queries the operating system for passwords entered on pinpads or passwords otherwise hidden by asterisks. He says it "is the easiest thing in the world" to drop password loggers, pinpad loggers or other Trojans on user machines and evade scrutiny or blocking. He claims he can "crack a bank`s Internet access security" if they do not take added precautions such as providing one-time passwords.
One-time passwords, randomly generated and sent to the user via SMS or other means, are harder to crack, he says, because of their once-off nature. Banks have reacted to recent threats by providing PIN pads, anti-virus software (which recognises only known code) and firewalls (which are rejected by users and do not prevent a breach from inside). All this leads Pearce to say he has had "100% success in remotely cracking into organisations".
He recommends up-to-date anti-virus, a personal firewall, avoiding hacker sites and illegal software, not opening attachments from untrusted sources, avoiding suspicious attachments even from friends, whose addresses can be spoofed, ignoring unsolicited virus warnings from anyone other than a trusted provider and not opening unknown links.
How it works
The way to drop a Trojan onto a user machines is either to e-mail one and trick the person into opening the attachment. This will appear not to execute, but runs in the background. Or one can lure a user to a Web site who will download a link, or be infected with hidden code on a Web site, or give someone what is otherwise a legitimate program on removable media, with the offending .EXE embedded therein, says Pearce.
One specific Trojan he developed communicates to the installer that it has been installed, analyses the business logic of the company and intercepts information. One way to do so is to instruct the program to send piecemeal information, in order to avoid detection. One broker "lost" 302 confidential documents in this way, he says, some containing passwords.
A bank responds
Louis Lehmann, Standard Bank Computer Security spokesman, says the risk must be viewed in its proper context. "Firstly, the technology available to monitor keyboard strokes is much more prevalent than technology capturing passwords entered on software-based PIN pads. The risk is therefore immediately and greatly reduced.
"Furthermore, the process to compromise PIN pads is quite complex, involving having to capture both asterisk-hidden passwords and soft-keystrokes. A hacker must write Trojan code, which is normally .EXE-based, and somehow get this on the target device. Most anti-virus software will pick it up, and people generally know not to open executable files from untrusted sources.
"Lastly, firewalls made available to Standard Bank customers will further reduce risk. Therefore, the compensatory measures from the bank mitigate the risk a great deal more than people realise, and in a telephone conference with Mr Pearce last night, he concurred that this is the case. Standard Bank is not sitting back and realises that in time, breach methods get smarter. We have the proper controls in place for current risks."
Share
