29 May 2017
Innovation and vision
Vishwanath Thanalapatti

Innovation and vision

Vishwanath Thanalapatti - Risk Management Professional

27Posts 114,230Views 30Comments
Finextra community

Internal Auditors in Financial Services

This community aims to provide related links, resources and news references, and to develop a forum for internal auditors to exchange views on various related items.
A post relating to this item from Finextra:

Hackers nab 500,000 Oz credit card numbers

17 August 2012  |  8334 views  |  2
Aussie police say that hackers targeting merchant computer systems may have stolen half a million credit card numbers and racked up A$25 million in fraudulent transactions.

NFC to POS -- Check and mate: The end game for key loggers

20 August 2012  |  5139 views  |  2

I am not at all surprised at this.  It is sub judice even to discuss what the investigation will reveal; yet I will risk my last cent if it is not an ‘inside job’ with the connivance of the POS folks. It was the butler after all.

The phrase ’information security’ on google search  throws up  874,000,000 results (0.17 seconds) and the phrase ‘key logger’ 4,690,000 results (0.21 seconds).  It is safe to conclude the world is aware of information security and key logging.  We have the global population merrily using keyboards for password keying in without much of a thought as this reveals.

I have done internet banking transactions in Canada and India. I see it is much safer in India as compared with Canada.  One simple example, on the log-in page the user has an option to select the virtual keyboard to input the user ID and password, a sure protection against ‘key loggers’.  I have this noted in my book under the section ‘Trifles that matter’.  My canadian bank still believes keyboard is the 'way in' for internet banking.

Extending this logic each POS or ATMs or internet banking page can have a virtual keyboard as an option. Alternately each transaction that requires to key in password can have a 2 factor authentication. One, the password itself; in conjunction a ‘One Time password’ send by way of an SMS that together will approve the transaction.  This can be be a 3 digit randomly generated alpha-numeric key. A more secure option is to shuffle the virtual keyboard from the standard ‘QWERTY’ for each access event.  These are all classic examples in the existing paradigm.

A shift in paradigm is a necessity.  We do have the technology available and it is ubiquitous. You guessed it right the first time. Yes! It is NFC.  Google Wallet 2.0 (if I may so call it) is perfect to stymie the growing global community of ‘key loggers’. I am talking about the front end virtual card with the ‘real’ cards linked in the background.  This will ensure privacy and security.  The ‘secure element’ that google talks about I am sure is a good safeguard guaranteeing privacy.  A quick adoption to this technology will create a welcome unemployment in the ‘keyloggers’ industry.  



Comments: (3)

A Finextra member
A Finextra member | 22 August, 2012, 08:24

Today's smartphones are at least as vulnerable as PC's are, when facing "unemployment" keyloggers will quickly adapt to the new target platform. Virtual keyboards aren't the panacea either, there are some trojans that can read those too ...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Vishwanath Thanalapatti
Vishwanath Thanalapatti - Risk Management Professional - Toronto, Canada | 22 August, 2012, 15:15

I agree with you there. Nothing is secure in the long run. In this cat and mouse game staying ahead matters. As we speak we have NFC and Virtual key boards that are dynamic and context based that are relatively safer. Surely not for ever though. Relevant technology at that point in time will probabaly have a solution.    

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 August, 2012, 18:58

I've seen some banks in the UK who used to support virtual keyboards on their Internet Banking login screens have now removed them. Could it be because virtual keyboards are more vulnerable to "looking over the shoulder" threat vector?

If the threat of keylogging is really so serious, the Indian regulation imposing 2FA for each and every - not just high-value - CNP transaction is somewhat counterproductive. At least, it appears so based on the precedent of the PATCO v. OCEAN BANK ACH fraud lawsuit in the USA, where the court of appeals found in favor of the plaintiff. One of the major factors that went against the bank was its decision to lower the threshold of its Q&A challenge from US$ 1000 to US$ 1. The bank thought it was improving security  by doing this. But, the court ruled that, with rampant keylogging, keyloggers got many more opportunities to harvest the right answers with a lower threshold! Yet another example of "unintended consequences", I guess...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from

Vishwanath's profile

job title Risk Management Professional
location Toronto, Canada
member since 2011
Summary profile See full profile »

Vishwanath's expertise

Member since 2011
27 posts30 comments
What Vishwanath reads

Who's commenting on Vishwanath's posts