ScienceDirect® Home Skip Main Navigation Links
You have guest access to ScienceDirect. Find out more.
 
Home
Browse
My Settings
Alerts
Help
 Quick Search
 Search tips (Opens new window)
    Clear all fields    
Computers & Security
Volume 26, Issue 6, September 2007, Pages 421-426
 
Font Size: Decrease Font Size  Increase Font Size
 Abstract - selected
Article
Purchase PDF (302 K)

Article Toolbox
  E-mail Article   
  Add to my Quick Links   
Bookmark and share in 2collab (opens in new window)
Request permission to reuse this article
  Cited By in Scopus (0)
 
 
 
Related Articles in ScienceDirect
View More Related Articles
 
View Record in Scopus
 
doi:10.1016/j.cose.2007.05.003    
How to Cite or Link Using DOI (Opens New Window)

Copyright © 2007 Elsevier Ltd All rights reserved.

Anti-keylogging measures for secure Internet login: An example of the law of unintended consequences

Purchase the full-text article



References and further reading may be available for this article. To view references and further reading you must purchase this article.

Stuart P. Goringa, Joseph R. Rabaiottib and Antonia J. Jonesb, Corresponding Author Contact Information

aBushcraftUK, Newcastle Emlyn, UK

bSchool of Computer Science, Cardiff University, 5 The Parade, Cardiff, Wales CF24 3AA, United Kingdom


Received 24 October 2006; 
revised 24 February 2007; 
accepted 14 May 2007. 
Available online 18 May 2007.

Abstract

Traditional authentication systems used to protect access to online services (such as passwords) are vulnerable to compromise via the introduction of a keystroke logger to the service user's computer. This has become a particular problem now that many malicious programs have keystroke logging capabilities. When banks first introduced Online Banking services they realised this, and added features to protect users against keystroke logging. In this paper we show, using a real Online Banking system as an example, that if these features are incorrectly implemented they can allow an attacker to bypass them completely and gain access to a user's bank account within a small number of attempts. The vulnerability was initially noticed in a particular Online Banking service, but any system implemented in the way we describe is equally vulnerable.

Keywords: Online banking; Gatekeeper defects; Web login procedures; Internet login; Keylogger

Article Outline

1. Disclaimer
2. Introduction
3. The login procedure
4. The vulnerability
5. Attack methodology
6. Probabilistic analysis
7. Conclusions
Acknowledgements
References
Vitae



Corresponding Author Contact InformationCorresponding author. Tel.: +44 292 087 5490.

Computers & Security
Volume 26, Issue 6, September 2007, Pages 421-426
 
Home
Browse
My Settings
Alerts
Help
Elsevier.com (Opens new window)
About ScienceDirect  |  Contact Us  |  Information for Advertisers  |  Terms & Conditions  |  Privacy Policy
Copyright © 2008 Elsevier B.V. All rights reserved. ScienceDirect® is a registered trademark of Elsevier B.V.