Here is a strange one via Pamela Dingle's eternal optimist:
How girl, 6, hacked into MP’s Commons computer
I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…
This kind of dongle plugs in between the keyboard and the computer. So there is one simple solution: don't type in secrets that could allow someone to gain access to your accounts.
My view:
- CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack – assuming no physical access to the computer itself.
- Normal Kerberos login would be vulnerable.
- Username / password IdP's could be protected from this attack through use of the additional per-card secret described here – assuming non-InfoCard password access was not supported.
- One time password (OTP) systems would be unaffected.
BTW, I now have OTP integrated with my own managed card demo code. When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.
A number of online banks (notably ING Direct, although I suspect others) have addressed the keylogger issue by using a hybrid authentication system. Basically, you enter your login in cleartext, but enter a PIN based on a variable mapping between numbers and letters. It shows the user a map based on a phone keypad that mapp 0-9 to a different letter each login. Eg, if my PIN were “1234”, then I might enter “KBSE” one time, and “JHNS” another time as the mapping changed. A keylogger alone would be worthless; without the map (displayed once only) there's no way to make sense of “KBSE” or “JHNS”.
In other words — there are creative ways to get around keyloggers. It's just another moat (or another alligator in the moat), but can be useful to a Cardspace security solution.
Keep up the good work!
PS – saw you at the Internet Identity Workshop last fall and just now got around to installing CardSpace. Very happy to see the Cardspace/OpenID convergence move happening.
Hi David. Yes, good idea. I've also seen an amazing 3D approach from the University of Ottawa that I'll write about when I have a moment.
I am making available a service that let's you log into “username/password” websites using one-time codes. Looking for feedback 🙂
Best Regards,
Andreas
forgot to give the link: http://kyps.net