Saturday, March 24, 2007

Keyloggers in Action

Last week, our CTO, Helmuth Freericks, showed me a demo of "All-In-One Keylogger" - one of the technologies he is using to test our new VirtualATM secure banking software.

Unlike hacker-built software, this technology was built by RelyTec to enable forensic tracking of suspected criminals, and it has a lot of well-engineered features. However, that doesn't mean that hacker-built technology is inferior in any way. To the contrary, given the rapid growth of involvement in hacking by organized crime, I suspect the illegal keyloggers may be every bit the match of the code built by RelyTec.

All-In-One Keylogger has some powerful features, including the ability to capture any text entered in a web form (including your name, social security number, date of birth, mother's maiden name, and anything else) and a screen-capture capability that is designed to capture a screen shot every time you click your mouse (goodbye virtual on-screen keyboards).

Inspired by Helmuth's demo, I bought a copy, and this weekend, I put All-In-One Keylogger to the test against the top ten online US banks, and, for good measure, Green Border's product, and the products of several brand-name security companies. The results were extremely sobering.

First, I went to and downloaded a list of the top 150 US banks, by asset value. Then I launched the keylogger and went to the top ten sites. AIO Keylogger captured not only every character of text entered at each one of these sites, but a screenshot of every single textbox in every single form of every single banking site visited.

Consumers, if you have accidentally been infected by a keylogger, you are 100% vulnerable, on 100% of the online banking sites I visited. Like the criminal versions of keyloggers, all I needed to do was click the "email me this log" button to get the data sent to an email address of my choosing.

Here's an example of the text that was captured, using the "textual log" function. It includes the name, social security number (if you know the site's layout already, and trust me, hackers do, it's relatively easy to figure out that the first nine numbers after the name are the SSN).

This info, plus date of birth, which is just down the page, really is good enough for just about any criminal. But as if that wasn't easy enough, the keylogger includes an additional screen-capture capability. Here is just one of the screen shots taken by the keylogger:

I ask you to pause at this moment and imagine a room filled with cubicle-inhabiting database entry clerks, turning emailed screen shots like this one into database entries.

Imagine the sheer amount of data that could be captured every day, from the millions of credit card and Internet stock trading and bank account application forms and tax filing forms - and even government license or regulatory forms - that exist on the Internet. Now imagine that data under the control of a well-organized criminal gang.

Since the beta release of VirtualATM, the Authentium R&D team has, under Helmuth's direction, been using keyloggers to demonstrate how unsafe the online credit card / tax filing / checking account / driver's license application process is to consumers, and, conversely, how much safer that process is with VirtualATM.

So far, with respect to keyloggers, the VirtualATM approach has outperformed every other product or technology on the market, including the antiphishing protection technologies recently introduced by the name brands, and our innovative friends over at Green Border (who incidentally deserve a ton of credit for trying to solve this problem).

Our hope is that by this time next year, you'll be able to use the VirtualATM technology to file your taxes, send your accounts to your accountant, pay your bills, buy a car at auction, and bank safely online.

By the way, before I sign off, here's a screen shot of the All-In-One Keylogger in action against a live Authentium VirtualATM banking session (this is a 100% untouched screen capture of how the keylogger sees VirtualATM):

No screen information visible, no text captured, no nothing. Your personal information is totally secured against prying eyes. You can see why we're excited about VirtualATM.

No comments: