User space security and keyloggers

[munkery]

It is kind of funny that people get so worked up about credit card numbers. Honestly, a criminal could already have your credit card number by random chance.
For example, http://mediakey.dk/~cc/wp-dyn/credit-card-number-generator.php
Really, it is just a number in a specific format. There is nothing magical about a credit card number.

With the Sony PSN breach and recent Mac malware in the wild, there is a lot of talk on the internet and in threads in this forum about online credit card fraud. Honestly, credit card fraud is just as likely to occur independent of the internet. In reality, your social security number and bank account number are much more critical than your credit card number because those numbers are used to get big loans for amounts much greater than a credit card limit. The big fish of online financial fraud is logging into another persons online banking to maximize the profitability of the crime by facilitating identity theft above and beyond credit card purchases.

Online identity theft requires more than a credit card number. Often more specific information is required about the individual. That more specific information about an individual could already be online depending on how much information a user includes in online public profiles, such as MySpace and Facebook. Even all this information will not allow someone access to online banking accounts.

More sophisticated malware uses a keylogger to collect passwords to gain information that will expose online banking credentials; specifically, an online banking login password. Keyloggers facilitate this type of fraud by collecting passwords to online banking, email, and social networking sites. Email accounts are used to reset other passwords. Social networking sites provide other needed information if not already easily accessible.

Mac OS X implements two user space security mechanisms that prevent keyloggers and other malware from logging these passwords unless social engineering tactics are successful or the exploitation includes privilege escalation. Privilege escalation is rare in OS X so prevention is basically up to the user. The first security mechanism is called EnableSecureEventInput which prevents keyboard events related to security sensitive logins being logged when exiting IOHIDSystem on the way to Window Server. The other security mechanism is called NSSecureTextField which prevents password from being viewed or captured in the user interface by form grabbers.

Keyloggers installed in kernel space are able to log these protected passwords. Looking at the source code for logkext shows it interacts with IOHIKeyboard located in the IOHIDSystem bundle to log keyboard events in kernel space. To locate these items in finder, do an advanced search in Finder for IOHIDFamily and search inside the package contents for IOHIDSystem. Kernel space keyloggers require user authentication to install unless the exploit includes privilege escalation. These kernel device drivers are protected by the discretionary access controls of OS X unless using the root user account.

 

[MisterMe]

It is kind of funny that people get so worked up about credit card numbers. Honestly, a criminal could already have your credit card number by random chance.
For example, http://mediakey.dk/~cc/wp-dyn/credit-card-number-generator.php
Really, it is just a number in a specific format. There is nothing magical about a credit card number.

...

I have no idea what you you are trying to make, but you are not making it particularly well. If sequentially guessing credit card numbers were as easy as you say, then we would all be in a world of hurt. Commerce by mail, telephone, and the Internet would be virtually impossible. However, you ignore the fact that credit cards are attached to names and addresses. Not all transactions require verification. However, virtually every credit transaction that I have ever made online requires that I give the "Name on Card." A machine can guess my credit card number. However, it is immeasurably more difficult to guess the name on my card.

As for keyloggers, the solution to them is simple. Don't install them.

 

[munkery]

I have no idea what you you are trying to make, but you are not making it particularly well. If sequentially guessing credit card numbers were as easy as you say, then we would all be in a world of hurt.

By what reasoning is it difficult to randomly generate a string of numbers of a specific length?

Commerce by mail, telephone, and the Internet would be virtually impossible. However, you ignore the fact that credit cards are attached to names and addresses.

Actually, I am emphasizing the fact the value of a credit card number is tied to being associated with other information. I am also emphasizing the fact that many individuals freely make that other information available online.

Why don't individuals protect that information as much as credit card numbers?

Not all transactions require verification. However, virtually every credit transaction that I have ever made online requires that I give the "Name on Card."

Most if not all of that information is protected when entered into web forms during purchases by user space security mechanisms. This protection eliminates some ways to profit from computer crimes. This is why this information is much more likely to be harvested independent of the internet.

A machine can guess my credit card number. However, it is immeasurably more difficult to guess the name on my card.

A machine can provide both. Specifically, a computer with a kernel space keylogger installed can provide both.

But, you are far more likely to have that information exposed by others having physical access to your credit card via loss, theft, or etc. If someone in another country is using your credit card it is most likely that the data was not harvested online but that it was sold online by someone that had physical access to the card. Freely available information people provide online only increase the capacity to be exploited. Some of that data is just as important as the credit card number.

Are you Facebook friends with your uncle (mother's brother)? What is your mothers maiden name? What is your favorite TV show? Do you post tagged pics of all of your pets?

Also, credit cards have cash limits and fraud protection. It takes more than the credit card number and name to get another credit card or bank loan. The extent of online identity theft is much greater from exposure of a online banking password.

As for keyloggers, the solution to them is simple. Don't install them.

A user doesn't have the choice to not install them if they are not using discretionary access controls or the OS often has privilege escalation vulnerabilities. Make sure you are using discretionary access controls and an OS with the least amount of privilege escalation vulnerabilities.

Beyond that, you are right. Be careful what you authenticate. But, also be careful about what other information you put online.

 

[MisterMe]

By what reasoning is it difficult to randomly generate a string of numbers of a specific length?



....

You are not making sense. It is much more efficient to sequentially generate credit card numbers just like telemarketers sequentially dial telephone numbers during dinner. However, it is very inefficient to test credit card number. You must also understand that credit card numbers may have a fixed format. However, cardholder's names are not of fixed length.

As for the other stuff, we you seem to have a somewhat decent grasp of the obvious. If others have access to your card, then they can steal your number. Wow! What was your first clue?

 

[miles01110]

By what reasoning is it difficult to randomly generate a string of numbers of a specific length?

It's not difficult to generate a string of numbers; it is difficult to prove that the algorithm being used is truly "random," though. We could have a philosophical argument about whether or not machines can truly generate random numbers.

Why don't individuals protect that information as much as credit card numbers?

Because the liability for any damages falls to the card company, not the customer. As others have said, it doesn't really matter what the number is.

It's fairly obvious you're just spamming to increase exposure to the links in your signature. You really don't have anything new or interesting to say.

Thread summary: If a bad person can physically steal your card, they might do so.

 

[munkery]

It is much more efficient to sequentially generate credit card numbers just like telemarketers sequentially dial telephone numbers during dinner.

Why? Whether or not the numbers are sequential makes no difference as long as the numbers fit Luhn's formula. That generator produces random Luhn's formula numbers.

However, it is very inefficient to test credit card number.

The specific purpose of that generator is to use numbers that fit Luhn's formula to test one of the two verification methods of credit card purchases on e-commerce sites.

But, the numbers are also used in fraud in conjunction with random names. This works if the random value is an actual number in use and there is a failure in the secondary backend verification process to check that the name and/or other verification data is valid.

Often in person purchases do not have secondary verification until the sale is processed long after the person has left the store.

You must also understand that credit card numbers may have a fixed format. However, cardholder's names are not of fixed length.

Fixed format = Luhn's formula and length defined by credit card company. The name is a non-issue for many types of crime.

As for the other stuff, we you seem to have a somewhat decent grasp of the obvious. If others have access to your card, then they can steal your number. Wow! What was your first clue?

Sorry, your first post in this thread made it seem that you do not.

It's not difficult to generate a string of numbers; it is difficult to prove that the algorithm being used is truly "random," though. We could have a philosophical argument about whether or not machines can truly generate random numbers.

We could have a philosophical argument about whether anything is random. I kinda need to take a dump right now. I wonder if that is because I ate food in the past? Determinism?

Because the liability for any damages falls to the card company, not the customer. As others have said, it doesn't really matter what the number is.

But that information can be used for crimes unrelated to credit cards where the liability is much more difficult to displace away from oneself. Banks make it very difficult to remedy the situation if a criminal takes out a loan for big money.

It's fairly obvious you're just spamming to increase exposure to the links in your signature. You really don't have anything new or interesting to say.

Why would I spam my links? I don't make any money off them. Even if I am spamming those links, what is wrong with that given that they are there to help others?

I read something I thought was interesting so I wanted to share in case others are interested.

Thread summary: If a bad person can physically steal your card, they might do so.

Honestly, I have been looking through MSDN (Microsoft Developers Network) and I can only find references to basic text box masking but no other user space security mechanisms.

Edit: there is control function in Windows called PasswordBox that provides similar user space security. The function of the security feature is dependent on discretionary access controls similar to OS X. So, make sure to not use an admin account in Windows XP and do not disable UAC in Windows Vista/7 because both of these configs do not use DAC.

Also, make sure to password protect the built-in hidden administrator account in Windows XP. It is kind of pointless to have an admin account on the machine that has a known username and blank password by default.