Credential / Data Security of SafeOnline - how does this work?

Hello Joe,

could you please elaborate with examples a little bit
further, how this Advanced function of SafeOnline works
and how we can 'see' (=test) it in action?

Yes, I already read some comments from you like this ...

Quote:

Configuring your username/password within SafeOnline to be locked down to a specific domain will prevent any accidental phishing from taking your account information. We will immediately warn you if you are trying to enter your credentials outside of the accepted website, which prevents any phishing from taking place.

... and of course help site ...

Quote:

Credential/Data Security

This function allows SafeOnline to lock credentials to specific domains and policies. By doing this, the user is prevented from accidentally leaking them to phishing website parading as a legitimate website

Data Caption/Type
This is an identifier and is not used within the protection. It allows the user to differentiate between multiple configured passwords/credentials for management purposes.

Value to Protect
This is the password, credit card number, or other piece of information to which SafeOnline will be securing access. The data itself is not stored within SafeOnline at all, but a strong cryptographic checksum of the data is, which prevents any possibility of credential insecurity.

Repeat Value
This is a duplicate of the Value to Protect, entered to ensure that the data is exactly what the user wants to protect.

Add/Remove
After selecting a domain or password, the user can remove them by clicking the Remove button or the minus button in the password list. This will immediately remove protection for the selected area.

.. BUT I have to be honest here: this whole thing is still a mystery to me.
My main goal is to test that somehow and to see it 'at work' and then using it properly.

I guess what I don't understand is: if I have a site www.aaa.com
and there login account with user=user and password=12345 ...

.. should/would SafeOnline ring the alarm bell if I enter that
protected password (12345) on another site, let's say www.bbb.com?

Just if it is entered in an asterix password field? Any? Or even if this pass was stored before in browser (firefox) and is not typed in manually? - Or only if all this happens on the same domain (www.aaa.com) but if it is a phishing/fraudulent site revealed by SafeOnline IP Verification?

You see I really have no clue what this credential protection feature is exactly doing and maybe you could shed some light on it so that even I 'get it'? TIA!!!

[Hugger]

Quote:

Originally Posted by guest

Hello Joe,

could you please elaborate with examples a little bit
further, how this Advanced function of SafeOnline works
and how we can 'see' (=test) it in action?

Yes, I already read some comments from you like this ...



... and of course help site ...



.. BUT I have to be honest here: this whole thing is still a mystery to me.
My main goal is to test that somehow and to see it 'at work' and then using it properly.

I guess what I don't understand is: if I have a site www.aaa.com
and there login account with user=user and password=12345 ...

.. should/would SafeOnline ring the alarm bell if I enter that
protected password (12345) on another site, let's say www.bbb.com?

Just if it is entered in an asterix password field? Any? Or even if this pass was stored before in browser (firefox) and is not typed in manually? - Or only if all this happens on the same domain (www.aaa.com) but if it is a phishing/fraudulent site revealed by SafeOnline IP Verification?

You see I really have no clue what this credential protection feature is exactly doing and maybe you could shed some light on it so that even I 'get it'? TIA!!!

Thanks for making my morning.
It's not often that I run into someone more confused than me.
As for your question, it seems to be working as advertised.
I set the security level for whatever sites I want to be more secure in.
I also use Roboform for all my passwords.
Keep it simple. If it ain't broke don't fix it.

Quote:

Originally Posted by Hugger

Thanks for making my morning.

Glad I could help then. - Awake already?

Quote:

It's not often that I run into someone more confused than me.

I have really NO doubt about that.

Quote:

As for your question, it seems to be working as advertised.

BTW: My question was HOW this works and also how one could TEST this.

=> NO insight AT ALL gained from YOUR posting, waste of time so to speak, sleepyhead.
And the advertising is sort of unclear, that's the point I am trying to make here!

Quote:

I set the security level for whatever sites I want to be more secure in.

Ooooh greeeaaaat ... you managed to operate the slider,
wow .. pretty advanced Prevx power user you are!?

Quote:

I also use Roboform for all my passwords.
Keep it simple. If it ain't broke don't fix it.

Exactly - keep it simple: If you have no answer ... don't.

One goal of my posting is to show Joe (are you a Joe too?) that
the explanation of this feature isn't sufficient at the moment.

But thanks a lot for making my afternoon. *hug*

[kasperking]

Quote:

Configuring your username/password within SafeOnline to be locked down to a specific domain will prevent any accidental phishing from taking your account information. We will immediately warn you if you are trying to enter your credentials outside of the accepted website, which prevents any phishing from taking place.

hi guest.....the credential protection works...the popup may have chinese characters though ....i have my e-mail as protected so when i try to login into OA user area with it i get the credential protection alert.....see this thread http://www.wilderssecurity.com/showthread.php?t=264143

[PrevxHelp]

Sorry for the confusion - we'll be updating the help file with a more precise description soon.

Essentially, the credential protection will lock down your password to a specific website. While this will cause a bit of an annoyance if you use the same password on many websites, it will prevent you from accidentally entering your login details into a phishing website. The warning which kaspersking has linked to will be fixed shortly (a bug in the recent beta ) but if you try the current live build, it will work properly and show a warning with the URL that you tried to go to.

So, for example, if you are on www.facebook.com and click Configure, then Advanced, and then enter in your credentials to be protected and then go to www.google.com and try to type in your credentials again, you will be blocked from doing so.

Instead of locking this feature down to credentials alone, we've also made this flexible enough to be added as a parental control feature. For example, if your child has a PC, you may want to add protection over your last name or your street address, to prevent them from accidentally disclosing confidential information.

I hope this helps! Let me know if you'd like any further clarification

Quote:

Originally Posted by PrevxHelp

Sorry for the confusion - we'll be updating the help file with a more precise description soon.

Great!

Quote:

Essentially, the credential protection will lock down your password to a specific website. While this will cause a bit of an annoyance if you use the same password on many websites, it will prevent you from accidentally entering your login details into a phishing website.

I read your explanation (in help system and the other) many times
and did understand it right as I now see ...

... BUT I tried that and Prevx / SafeOnline build 3.0.5.64 did nothing,
so I wanted to ask if I maybe understood something wrong.

Just tested it again. Used my protected password
from one site on another ... nothing .. no warning!?

Quote:

I hope this helps! Let me know if you'd like any further clarification

YES, thank you! - At least I know now how it SHOULD work
and we will of course figure out somehow why it doesn't
when I am testing it .. which btw. added to my confusion.

[PrevxHelp]

Quote:

Originally Posted by guest

Just tested it again. Used my protected password
from one site on another ... nothing .. no warning!?

There may be some issues with credential protection on passwords which contain unicode characters or other non-standard characters. Could you let me know the general format of your password and what language your keyboard is configured to use?

Thanks!

[Zorak]

I've just upgraded to Prevx 3.0.5.74 with the trial version of SafeOnline and have also found that my "locked down password" can be entered into websites other than the protected one. I use a standard english keyboard and the password contains a mixture of upper and lowercase letters, a number and some punctuation marks.

[pegr]

Quote:

Originally Posted by Zorak

I've just upgraded to Prevx 3.0.5.74 with the trial version of SafeOnline and have also found that my "locked down password" can be entered into websites other than the protected one. I use a standard english keyboard and the password contains a mixture of upper and lowercase letters, a number and some punctuation marks.

I had the same problem with a username that contains an embedded full stop. Maybe there's a problem with some punctuation symbols.

[PrevxHelp]

Quote:

Originally Posted by pegr

I had the same problem with a username that contains an embedded full stop. Maybe there's a problem with some punctuation symbols.

This is definitely possible - Zorak - can you let me know what punctuation characters you're trying to use? I'll be doing some tests here and will report back as to what we find!

[TonyW]

Quote:

Originally Posted by PrevxHelp

Essentially, the credential protection will lock down your password to a specific website. While this will cause a bit of an annoyance if you use the same password on many websites, it will prevent you from accidentally entering your login details into a phishing website.

This is the crux of the matter. Ideally users should be using different passwords for every site they need to log-in to. Using a different username as well would be even better if at all possible.

A phishing site should be obvious from the URL at least once you go there IF you follow the link from somewhere else. (My email client shows the correct URL when you hover the mouse over the incorrect link - this way I'm able to report the very few offending phishes I receive without even going there.)

I've yet to use SafeOnline protection using credentials in the manner described. I do bank online, but that URL is stored in my favourites. The log-in for that isn't going to be used elsewhere. At the moment, I can't see the usefulness of this particular SOL feature for me personally.

[pling_man]

Careful you don't give too much away about your password Zorak

I tested this by protecting the word "happy" for my bank HTTPS site (without the quotes).

If I open my browser and type happy into google SafeOnline stops me when I hit the letter "y".

Trouble is it also stops other variants like

h a p p y
h.a.p.p.y
h. a. p. p. y.
h.....a.....p.....p....y

Lol. It shouldn't do this = Bug.

Spaces and punctuation marks are not handled properly it seems.

I can confirm that a user name like pling.man is not protected. = Bug.

The problem here is that SafeOnline probably uses a rolling checksum of the data entered and looks for matches with the checksum of the data stored. It can't just do, say, an MD5 in the normal way because it would be too slow. (see http://en.wikipedia.org/wiki/Rsync). Looks like this is not coded correctly.

I have only tried using it to protect simple user names and not complex passwords like the one I use for my bank (h67s$kj^78x-1 ) But it is difficult to keep user names unique. Can't the program allow multiple uses of the same data as long as all the websites are protected (this is what Rapport does).

i.e. why can't i protect "fred" on https://www.aa.com and on https://www.bb.com.

I know PSO offers to go to the correct location when it finds the data entered somewhere else and so will not be able to do this. But this option could be turned off or disabled in such cases.

[PC__Gamer]

Quote:

Originally Posted by pling_man

Careful you don't give too much away about your password Zorak

I tested this by protecting the word "happy" for my bank HTTPS site (without the quotes).

If I open my browser and type happy into google SafeOnline stops me when I hit the letter "y".

Trouble is it also stops other variants like

h a p p y
h.a.p.p.y
h. a. p. p. y.
h.....a.....p.....p....y

Lol. It shouldn't do this = Bug.

Spaces and punctuation marks are not handled properly it seems.

well, I think it SHOULD do this.

lets think of an example if someone puts in very confidential information such as credit card details, you wouldn't want the risk of these getting out-there just because of a typo with a few spaces or punctuation marks.

[pegr]

Quote:

Originally Posted by PC__Gamer

well, I think it SHOULD do this.

lets think of an example if someone puts in very confidential information such as credit card details, you wouldn't want the risk of these getting out-there just because of a typo with a few spaces or punctuation marks.

On reflection, I think you're right. What you said made me wonder whether SafeOnline ignores redundant characters such as full stops when checking a website entry to see if it matches the stored credentials, and it appears that this is exactly what happens.

However, it also appears that redundant characters that will be ignored on checking do appear to be significant at the time the credentials are set up as a value to protect. This enables protected values to be created that aren't checked correctly later when entered on websites. If redundant characters are omitted from the protected value at the time it is set up, the value does get checked correctly later.

This enabled me to solve my problem by omitting the full stop from the username that I wanted to set up as a protected value within SafeOnline. I do think that this is a bug though, as the logic should be consistent. If some special characters are to be treated as redundant and ignored, this should apply both to when the protected value is initially set up, and also to when it is checked later as it is entered on a website.

[PrevxHelp]

Hello
Thank you all for the testing and feedback - we do indeed have a bug introduced in one of the newer versions which will cause certain characters to not be added into the check - including periods and some other punctuation.

One note is that the "username" field is essentially an identifier for the login, not an area which is protected. You can, for instance, enter in:

"Joe's Bank Login Password"

for the Data Type field and then the password itself below. If you configure a password on a specific website and then configure the same password on another website, you will be able to use both without a problem, and, if you're on a website which is blocked because it isn't currently allowed to have that password entered in on it, you can click Allow and it will automatically add that password to the list of allowed passwords for that website.

I hope that clears it up - let me know if you have any other questions! We're working on fixing support for non-alphanumeric characters as we speak and should hopefully have an updated version shortly!

[pegr]

Quote:

Originally Posted by PrevxHelp

One note is that the "username" field is essentially an identifier for the login, not an area which is protected. You can, for instance, enter in:

"Joe's Bank Login Password"

for the Data Type field and then the password itself below.

My understanding is that SafeOnline can be used to protect any kind of data, including usernames used as logins to websites. It is the "Data Caption" field that identifies the type of protected data for reference purposes.

In my case, with my online banking website the reason for protecting the username, rather than the password, is that the username is unique to the website and has to be entered first on a separate screen before any other identifying information is requested. Three randomly selected characters from the password are then requested. There is no point trying to protect the online banking password itself, as it is never entered in full for security reasons. It made sense to use a value of "username" for the Data Caption as it is the username used to login to the website that is the value I wished to protect.

Not being argumentative, just clarifying things.

[pling_man]

Quote:

Originally Posted by pegr

It is the "Data Caption" field that identifies the type of protected data for reference purposes.

Exactly. Its up to the user what is protected.

Quote:

Originally Posted by pegr

There is no point trying to protect the online banking password itself, as it is never entered in full for security reasons. It made sense to use a value of "username" for the Data Caption as it is the username used to login to the website that is the value I wished to protect.

Very sensible. This is what I am trying to do too. At the moment I can't protect a couple of user names because I have full stops in them and I can't change them easily with the bank.

[pling_man]

Quote:

Originally Posted by PC__Gamer

... think of an example if someone puts in very confidential information such as credit card details, ...

I tried protecting a credit card number. When I tried to order something from amazon, SafeOnline logged me off. So I don't think protecting cards is that useful .... hang on though, I could use this to stop my wife from spending online. Brilliant feature PrevX

[Hugger]

I am now more confused than before.
When I click on the green Prevx rectangle, then on configure, then on advanced, I see 'Data Caption/Type and below that is value to protect and repeat.
If I want to protect my sign on at my bank what goes in the Data/Caption Type? The login name or something else?
Same with Value to protect. Does that equal the password?
Thanks.
Hugger

[pling_man]

Quote:

Originally Posted by Hugger

I am now more confused than before.
When I click on the green Prevx rectangle, then on configure, then on advanced, I see 'Data Caption/Type and below that is value to protect and repeat.
If I want to protect my sign on at my bank what goes in the Data/Caption Type? The login name or something else?
Same with Value to protect. Does that equal the password?
Thanks.
Hugger

The Data Type/Caption is anything you like. It tells you what the data is.

e.g. if Hugger is your user name and opensesame is your password at the bank:

Enter User name in Data Caption type.
Enter Hugger in Vaue
Enter Hugger again in Repeat value

Click + to add

Do a similar thing for your password:

Enter Password in Data Caption/Type
Enter opensesame in Value
Enter opensesame again in Repeat Value

Click + to add

It will be obvious when you have entered some values.

You can press - to remove values once you've entered them. The - is hidded if nothing is protected.

[Hugger]

Thanks, Pling Man.
That helped.
Hugger

[pegr]

Quote:

Originally Posted by pling_man

At the moment I can't protect a couple of user names because I have full stops in them and I can't change them easily with the bank.

Try setting up the full username in SafeOnline as a value to protect against the bank's website, but this time leaving out the full stop.

In order to test if it works, go to any website other than the bank's website (I used Google) and enter the username exactly as you would on the bank's website, including the full stop. You should find that you get a SafeOnline Credential Protection alert from SafeOnline, blocking access to the website. Now repeat the test on the bank's website and you should be able to access it.

It will be necessary to repeat the test when Prevx updates to a new version of SafeOnline. This is only a temporary workaround to get round the problem that will no doubt stop working (and no longer be needed) when the bug in SafeOnline checking is fixed.

[Dark Star 72]

This needs to be a lot better thought out than this.
I have two forums I visit where my 'User Name' is Dark Star 72 and another where it is DarkStar without a space between the words.
If I set up Wilders protection as User Name: Dark Star 72 and then Password as ******** per pling_mans instructions and then go to the OA/TallEmu forum and set up protection as Dark Star 72 with my totally different password used there I cannot login to either site because SafeOnline is telling me that the other site has the same user name. So, I cannot protect sites unless I have different login user names as well as passwords.
To further complicate matters if I go to the forum where my login user name is simply DarkStar I cannot log in there either because SafeOnline puts up the shutters as soon as I get to the 'r' in Dark
As the login/user name for most of the https: sites where I use my credit card requires me to use my e-mail address and a password I get locked out as soon as I start to enter my e-mail address if that is protected on more than the one site. If I only enter my password as protected I can log in anywhere as this credential protection requires both a user name and then a password to work.
I have tried this credential protection on a variety of sites and it works brilliantly, as long as the same or similar user names are not used on more than the one protected site. I said similar because SafeOnline blocked both DarkStar and Dark Star 72 at the first 'r'.
Your thoughts on this Joe

[pling_man]

I did some testing of the Advanced tab with the latest version (3.0.5.85).

The issue with non alphanumeric characters in confidential data (above) seems to be fixed.

However, confidential data is only protected if the user types the data into the "malicious" site - it does not protect the data if it entered using the clip board (copy/paste).


This seems to be a shortcoming for users who use a password manager to keep such data (I use keypass).

Can this be fixed?

I suspect that the clipboard protection part of SafeOnline is protecting the clipboard and stopping this part from working properly.

(I am using Firefox 3.6, KIS2010 on Vista in case its a problem with my setup.)

[Zorak]

Hi all

I've also upgraded to 3.0.5.85 but I'm afraid I'm still having problems with credential protection. I posted the following in the "Official Release - Prevx 3.0.5.80 with SafeOnline" thread, but it seems it may have slipped under the radar:

Quote:

I've upgraded to 3.0.5.80 and my credentials are still not being protected either. I get no protection at all, even with all alpha or all numeric passwords. I am using PSO free and Prevx paid on XP SP3 with IE8. I use a LUA with SRP and no other realtime security programs are running. Credential protection doesn't work when running as Admin either.

Is credential protection functional in the PSO trial version? When I add credentials to be protected the "Save Button" is unavailable, but the credential entries do still remain.