Blog article
See all stories »

An article relating to this blog post on Finextra:

Hackers nab 500,000 Oz credit card numbers

Aussie police say that hackers targeting merchant computer systems may have stolen half a million credit card numbers and racked up A$25 million in fraudulent transactions.

See article

NFC to POS -- Check and mate: The end game for key loggers

I am not at all surprised at this.  It is sub judice even to discuss what the investigation will reveal; yet I will risk my last cent if it is not an ‘inside job’ with the connivance of the POS folks. It was the butler after all.

The phrase ’information security’ on google search  throws up  874,000,000 results (0.17 seconds) and the phrase ‘key logger’ 4,690,000 results (0.21 seconds).  It is safe to conclude the world is aware of information security and key logging.  We have the global population merrily using keyboards for password keying in without much of a thought as this reveals.

I have done internet banking transactions in Canada and India. I see it is much safer in India as compared with Canada.  One simple example, on the log-in page the user has an option to select the virtual keyboard to input the user ID and password, a sure protection against ‘key loggers’.  I have this noted in my book under the section ‘Trifles that matter’.  My canadian bank still believes keyboard is the 'way in' for internet banking.

Extending this logic each POS or ATMs or internet banking page can have a virtual keyboard as an option. Alternately each transaction that requires to key in password can have a 2 factor authentication. One, the password itself; in conjunction a ‘One Time password’ send by way of an SMS that together will approve the transaction.  This can be be a 3 digit randomly generated alpha-numeric key. A more secure option is to shuffle the virtual keyboard from the standard ‘QWERTY’ for each access event.  These are all classic examples in the existing paradigm.

A shift in paradigm is a necessity.  We do have the technology available and it is ubiquitous. You guessed it right the first time. Yes! It is NFC.  Google Wallet 2.0 (if I may so call it) is perfect to stymie the growing global community of ‘key loggers’. I am talking about the front end virtual card with the ‘real’ cards linked in the background.  This will ensure privacy and security.  The ‘secure element’ that google talks about I am sure is a good safeguard guaranteeing privacy.  A quick adoption to this technology will create a welcome unemployment in the ‘keyloggers’ industry.  



Comments: (3)

A Finextra member
A Finextra member 22 August, 2012, 08:24Be the first to give this comment the thumbs up 0 likes

Today's smartphones are at least as vulnerable as PC's are, when facing "unemployment" keyloggers will quickly adapt to the new target platform. Virtual keyboards aren't the panacea either, there are some trojans that can read those too ...

A Finextra member
A Finextra member 22 August, 2012, 15:15Be the first to give this comment the thumbs up 0 likes

I agree with you there. Nothing is secure in the long run. In this cat and mouse game staying ahead matters. As we speak we have NFC and Virtual key boards that are dynamic and context based that are relatively safer. Surely not for ever though. Relevant technology at that point in time will probabaly have a solution.    

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 24 August, 2012, 18:58Be the first to give this comment the thumbs up 0 likes

I've seen some banks in the UK who used to support virtual keyboards on their Internet Banking login screens have now removed them. Could it be because virtual keyboards are more vulnerable to "looking over the shoulder" threat vector?

If the threat of keylogging is really so serious, the Indian regulation imposing 2FA for each and every - not just high-value - CNP transaction is somewhat counterproductive. At least, it appears so based on the precedent of the PATCO v. OCEAN BANK ACH fraud lawsuit in the USA, where the court of appeals found in favor of the plaintiff. One of the major factors that went against the bank was its decision to lower the threshold of its Q&A challenge from US$ 1000 to US$ 1. The bank thought it was improving security  by doing this. But, the court ruled that, with rampant keylogging, keyloggers got many more opportunities to harvest the right answers with a lower threshold! Yet another example of "unintended consequences", I guess...

Blog group founder

Member since




More from member

This post is from a series of posts in the group:

Internal Auditors in Financial Services

This community aims to provide related links, resources and news references, and to develop a forum for internal auditors to exchange views on various related items.

See all

Now hiring