A Trustwave researcher has developed a `Touchlogger' attack methodology that allows a hacker to log the X-Y coordinates of a smartphone's touchscreen, as well as the screen icon being `touched', in order to bypass the latest generation of virtual keypad login procedures used for online financial services,
Because of the risk of keyloggers on regular PCs, a growing number of international banks are now using smartphones as an out-of-band authentication process to boost security for their online banking, SCMagazineUK.com notes.
Neal Hindocha, a senior security consultant with Trustwave, will reveal his methodology, and proof-of-concept malware, in full at next month's RSA Security conference in San Francisco.
Hindocha, who has been in the security space since the 1990s and was previously with Symantec and Verizon Business, specialises in penetration testing, reverse engineering and secure source code analysis.
He claims that the banks cannot easily counter his smartphone touchscreen logging procedure and other interested parties, as it is a structural security issue, rather than a software problem.
SCMagazineUK.com caught up with Hindocha on Wednesday to discuss his findings and he said that, since a lot of Trustwave's clients are in the financial services industry, they asked him to look at the smartphone touchscreen security issue.
"We discussed the problem and, whilst there have been proof-of-concept keyboard bypasses in the past, this is the first time that the security of a virtual keypad has been beaten," he said.
"Most banking software - whether on the desktop or the smartphone - now supports some form of virtual keypad, but the reality is that the keypad is actually a series of pictures. I reasoned that, if you could capture the pictures being displayed on the screen, as well as X-Y co-ordinates from the touchscreen, I could bypass this security protection system. And I was right," he added.
His latest security bypass approach, he explained, can even beat the latest generation of mixed pictures that a number of players have been touting as a means of adding an extra layer of authentication to a login process.
"It's a fascinating area of security. I started work on this in July of last year and will be revealing my methodology at the RSA event at the end of February," he said, adding that installing the malware remotely on an Android handset or a jailbroken Apple iPhone is a relatively easy task.
With a standard iPhone, he says, the task becomes more complex and would require around 30 minutes of physical access to the handset in order to install the malware and ensure it logs the touchscreen X-Y coordinate touches and swipes.
"I haven't made it work on Windows-driven smartphones yet, as my main focus has been on Android and iPhones," he said.
The $64,000 question is what the security industry and the banks can do to solve the problem of Hindocha's security bypass research - which could also be applied to Windows 8 touchscreens as well.
In December 2012, Naven Jones, a US researcher, revealed that he had been looking at this security mechanism, which was added to the Windows 8 kernel code in October of that year. He concluded it could be cracked using screen-smudging analysis. This is made possible because the human skin constantly sheds oil and skin fragments, and so causes smudges on most smartphones, tablets and desktop touchscreens, SCMagazineUK.com notes.
This approach was first discussed by Nigel Stanley, a security analyst with Incoming Thought, at the Counter Terror Expo event in April 2011 but Jones - of Uncoveror.com - said that a smudging analysis approach dramatically reduces the number of key sequences required to brute force crack a Windows 8 desktop or laptop.
Stanley's fellow analyst Sarb Sembhi, meanwhile, said in an online conference in November 2012 that it was likely that the smudging analysis technique would eventually die off on smartphones owing to the introduction of hardened glass on smartphones.
Windows 8, however, is a desktop/laptop operating system and Microsoft portrays the pictorial password option as a powerful security option.