Security ? storing financial PWs in PassWord Safe or other

Discussion in 'other security issues & news' started by phkhgh, Jun 24, 2009.

Thread Status:
Not open for further replies.
  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Using v3.17 in Vista hm prem x64.

    Normally, don't store important financial acct PWs ANYWHERE on my PC.

    Wondering about realistic security risks / issues of storing them in PassWord Safe (possibly in separate DB w/ much longer PW).

    Possibly storing the DB / financial logins on removable media.

    Now, when login to a bank, I'm on an https site, plus use keyscambler - fairly secure.

    Even if store a PWS DB on removable media, once load / insert the media, if right type of malware was on my system, it could conceivably steal the DB. I use latest Kaspersky IS, always updated, but nothing's perfect.

    IF make the DB PW long / random enough to prevent cracking (say 20 - 25 random characters), quite cumbersome to type in when opening a safe, even if written on paper. If an encrypted file / safe w/ bank acct PWs was hacked & cracked, would be disaster.

    Thought of storing master PW to open a DB (if using PW Safe) or an encrypted file, on CD or thumb drive. Copy & paste the long master PW stored on removable media to open bank accts DB / file.

    Is there a better, more realistic way or methods to store important PWs w/ PassWord Safe (or other methods) & enter them more quickly than typing in long PWs AND still retain very high security? Really don't know what method(s) security savvy users employ for this situation.

    Thanks
     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    The best place to start is, instead of encryption and such, making sure that there is no malware on your system that could capture your passwords. (I shall return to edit this post later today. Now, coffee break. :D )
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Few ways of thinking about internet banking .

    Look at what the malware has to do to get your info.
    1. infect PC - prevent this , no further action needed.
    2. Access password used , "" ""
    3. Transmit password to internet server , "" ""

    Look at bank side
    1. Ask about using one-time card to login
    2. Ask about using physical device to login


    Look at what happens if password stolen
    1. What can they do with password ?
    My bank requires that I use one-time card to authorize any new outbound money transfers
    2. Are you or bank liable for losses ( if any )
    3. How would you know if password stolen
    My bank shows the last time my a/c was logged into .
     
  4. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Excellent points, Joey. Don't know all answers.
    And, yes preventing malware getting on machine is priority # 1.
    BUT.... nothing is fail safe.
    Have not heard of, or investigated these.
    Never seen this mentioned at any of my institutions (don't know what it entails) but will ask. Is it similar to generating virtual credit cards #s?
    Good question - probably varies w/ ea institution.

    Everyone's suggestions are sound & useful.
    With assumption that these good practices are followed, still trying to figure out safest way to store & be able to enter them more easily than typing by hand. For actual login PWs, only ways I know of other than typing, once an encrypted file or PW safe is opened, are copy & paste or use auto type in a PW mgr like PW Safe.

    AFAIK, auto typing w/ prgm like Password Safe is no riskier than typing - maybe less risk. Don't know if manually typing w/ a keyscrambler is any safer than auto typing.

    Assuming something DOES get past my security, would there be a preferred way to store, retrieve & enter the master pass phrase to open a PW safe (DB) - other than just typing (a long) master PW using a keyscrambler, that MIGHT reduce risk, if only a little?

    Thanks.
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    One word of caution with Password Safe is that it uses the clipboard. And there are clipboard sniffing nasties that one can catch on a PC.

    This was one thing that attracted me to KeePass (1.x NOT 2.x.) You do not have to use the clipboard to place your username and password into the browser. Drag and drop works fine (whenever I've checked after using KeePass, the clipboard is empty.) (Drag and drop with Opera is an exception here and one reason why I will never seriously use Opera.) Copy and paste (which Password Safe uses) is available on KeePass but I have never needed or used it with IE or FF.

    In my case, I keep my KeePass databases on a flash drive. They are natively encrypted as part of the KeePass app and they are not clearly identified by file name as to what they are.

    http://www.keepass.info/features.html
     
  6. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks Han,

    May be wrong, but don't THINK PW Safe uses the clipboard when using Auto Type. Will double check. Wouldn't really make sense for it to use clipboard when auto typing.

    If opt to manually use PW Safe's "copy user name / PW to clipboard" function or other manual copy methods, then you are right.
     
  7. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Nothing is 100 % fail safe, but a lot of things are "safe enough." I like to call it a state of affairs where "you theoretically could be compromised, but in reality almost certainly won't be."

    How can the bad guys capture your passwords on your system? They need to log keyboard, clipboard and other activity. It won't really matter much if you use an encrypted file to store your passwords on a removable media, because sooner or later you will need to use the password, and you will decrypt it and enter it into a login dialog in some way - all of which can be monitored - and that's when the bad guys will be able to capture it in spite of all encryption. That is, if they have been able to install malicious software on your system to do all of this. If you can prevent that, that ends your worries. No other method beyond preventing installs of malicious software is a solution here. Mitigation, perhaps, but not a solution. If you're going to deal with sensitive data, the systems that you use have to be clean.

    How do I deal with financial passwords and such? I just type them in the login prompts like anything else, unless they are really long (and I mean really long) in which case I will copy-paste through plain old Windows clipboard. No key scramblers, no nothing. Never been compromised, because I try not to let malicious software on the system to steal my passwords. :)

    One thing that you could do, if you are so inclined, is to use a virtual keyboard to type passwords with the mouse, although that is really quite boring to do. And if you are so inclined, you could keep an eye out on hardware keyloggers, but if your physical security is ok, those are extremely unlikely to ever appear.

    If you are so wealthy you believe yourself to be a particularly interesting target, then you could arrange with your bank that they will require your personal confirmation for any significant transfers etc. Any decent bank will be able to advise you about this (if they think you're worth it).

    But even us regular folks can do all kinds of clever stuff with the bank - such as having the bank limit the amount of transfers that can be done, their size, and such, and agreeing that any personal data such as account ownership or owner's contact details cannot be changed without your personal visit, in the flesh, to the bank. You can make sure that the bank keeps an eye out on suspicious events, and informs you, and that you have a quick way of informing them of any possible security breach. And like others suggested, find out who is responsible for any losses caused by someone stealing your password - you, or the bank, or an insurance company?

    It is very easy to get paranoid about these things, but it doesn't do any good. Just make sure that malware doesn't easily get to execute on your system, use your head, and you're set. :)

    Of course, you could use all kinds of tricks if you want to go through a lot of trouble. You could even use two computers: one computer only for financial stuff, and one for everything else. Obviously you could lock the "secure" computer up much more tightly than the other, since all you need to be able to do there is run the OS and the web browser. Another thing that some people do is dual boot one computer - one OS for "insecure stuff", and one for "financial activity." Some boot from a clean DVD. Many ways to do this kind of thing, but really, does the risk warrant the effort?
     
    Last edited: Jun 24, 2009
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Perhaps LastPass plus YubiKey might be what you're looking for.

    Apparently YubiKey also works with Password Safe.

    P.S. I haven't used YubiKey personally. I do use LastPass and KeyScrambler though.
     
  9. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    #1
    A one-time card ( in my definition ) is a physical card sent to you by your bank.
    It will have 2 lists of numbers , No and Code.

    so
    1 -> 7654
    2 -> 3998

    So banks asks for Code corresponding to No 1 to be input if I want to transfer money to a new a/c.

    2#
    The Physical device is something companies use so people can log-on the work pc.
    Basically it displays a code you need to type in when your logging to your pc.
    smart thing is that the code is changed every 30 secs and is synchroinzed with the companies server.

    3#
    One good suggestion regarding confusing keyloggers is to type a very long password in, and then delete the end of it
    using the delete key.

    A keylogger has lots of limitations on what it can do, and this attacks one of them.


    #4
    But basically my position on banking is the same as an earlier poster , in terms of judging it in terms of effort vs risk.

    personally I aim for "being safe enough" :)
     
  10. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    That YubiKey looks very interesting though :))
     
  11. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks for replies. Have to read up on Yubikey. Usually, devil's in the details.

    Joeythedude,
    Is "one time card" literally good for ONE use?
    If so, wouldn't be convenient for me cause I move $ around often.
    But, I will investigate.

    Sounds like from all input, other than being assured no malware is on a system (not 100% possible), safest way is what I've been doing. Don't store PWs, acct #s on your machine or load them. Type them in using a keyscrambler. More troublesome, but safer.

    Windchild,
    Thieves aren't necessarily looking to hack a bank acct to drain $1000's - more often looking to steal identity, CC #s, etc. Most are unaware of how long & how much trouble it is to straighten out everything when their identity's stolen. There's a reason the phrase, "An ounce of prevention is worth a pound of cure," was coined.

    How bad could it be - right? I worked as an intern in oil fields. Raoul & his buddies decided to catch a young, wild ferret that went in a pipe. It was just an itty bitty thing. Let's just say Raoul's heavy gloves were no match for the ferret.:D
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You could instead boot with a live cd such as Knoppix, to be reasonably sure of having no malware present. During the live cd session, open up a web browser and go to lastpass.com and log into your LastPass account, which will then let you automatically log into your other sites with a single click.
     
  13. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    No there are 100 codes on my card so lasts for years at the rate I use it .Its only needed by my bank if you transfer money to a new account or add a new credit card , things like that.
     
  14. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Indeed prevention is far better than anything else. And prevention means preventing malicious executables that might want to steal your passwords from running - no other measure will be adequate. There are many ways to make it extremely difficult for malicious executables to run on the system, such as using a limited user account with a default-disallowed software restriction policy or using some of the many third party softwares that provide execution protection. :) And most importantly, of course, do not bypass your own protections by executing software that you do not know is safe.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You could use Kyps.net to log into websites on your untrusted operating system without ever revealing the passwords to the untrusted operating system. When you are generating the Kyps.net one-time codes, use an environment that has a high probability of being malware-free, such as booting from a live CD such as Knoppix.

    I'd also like to note that some password managers such as LastPass have onscreen keyboards for entering the master password, and also one-time passwords.
     
  16. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Really been some good replies on this topic. It's a big concern for a lot of people. Problem, as always, is keeping one step ahead of the crooks.

    Re: Who's liable for online financial security breaches?
    Some (many) bank / CC sites online TOS, specifically state they aren't responsible if someone steals your PW & accesses your acct. May be "boiler plate" language... Sure make it seem like most all financial institutions are REALLY hawking their convenient online services, but then put in fine print, "use them at your own risk."
    How does using virtual keyboard differ vs a keyscrambler? I.E., what type malware / methods would one give some protection against vs the other?

    Re: physical security. I use Kaspersky IS, always up to date. Supposed to be one of best, but again, nothing's foolproof. Have Vista x64 that offers SOME protection in certain areas, but not from stealing PWs. And I always use KeyScrambler (works on FF & IE) when logon important sites.

    Bottom line - was always apprehensive storing financial PWs in any way on PC, cause as many said, once open the "vault", IF malware got by security, possible it could steal it. Unlikely it could bypass KIS outbound, but still... That said, never found any malware on system, but DON'T want 1st time to involve stealing financial info.
     
  17. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    This is a good short article on what a keylogger is trying to do/how it has to work.

    http://www.pcdoctor-guide.com/wordpress/?p=3717

    So can do this on your home pc too of course.

    I found another really good article on using a public pc , as well , but can't find it now.
     
  18. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks for the link. Interesting - if not time consuming method.

    Not sure the method is any better than a good keyscrambler?

    Noticed the post on PC Doctor was closed to comments??

    Sadly, my hope of finding way to use some auto entry method that had at least keyscrambling capability haven't materialized. I have never seen documentation for any PW mgrs as to when they auto type user names / PWs, could characters be captured.

    AFAIK, none use keyscrambling of their own, & KeyScrambler for FF / IE doesn't support PassWord Safe. Not sure about other PW mgrs or other key scramblers.
     
  19. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Personally, I think you're looking at the problem in the wrong way. That is to say, you're thinking of ways of stopping a malware from stealing your passwords when the malware is already on your system - a difficult and perhaps impossible task depending on what malware you face - when you should be thinking of ways of stopping a malware from infecting your system in the first place - preventing malware infections is much easier than preventing malware from doing very simple things like password stealing when malware is already active within a system. It's like a military scenario where some lilliput-country general is thinking "What can I do with my three thousand guys and one obsolete tank to stop the entire US military from bombing us to the stone age once they've completely surrounded us and we've pissed them off really badly" when he should be thinking about "How can I avoid pissing off the US military so they won't even want to bomb us to the stone age?" :)

    If you have an active keylogging malware on your system, then there is no surefire, 100 % foolproof way to prevent it from stealing your passwords. There just isn't one. If the malware is active, then there is always a possibility that it may steal your passwords, even encrypted ones, once you decrypt them and use them. It doesn't matter whether you store the passwords on the system or not - as long as you use the passwords in any way through that system, as in use the system to browse a website where you then enter one of the passwords, a malware active on your system may steal the password, even if you never actually store the password on the system in an encrypted file or otherwise. There is no going around this. One may take measures to make things harder for keyloggers, but there is no idiot-proof method of protecting your passwords if you allow a keylogger to infect your system. By far and obviously the best approach is to do everything you can to avoid being infected in the first place, in which case you can stop worrying and use your passwords without fear they might be stolen at any time.

    To prevent malware from installing at all, I would suggest an approach that includes using a limited user account, a firewall, a browser that allows you to control scripting and plugins for each site (so you can disable such things globally, but enable them for some chosen, trusted sites), and some form of reliable execution protection to prevent unauthorized executables from running. From XP onwards, Windows includes Software Restriction Policies that are excellent for this purpose - only available on the 'professional' versions, though. On this subject, this forum has many discussions elsewhere, and a wealth of information should be easy to find. The idea, in any case, should be to make it nearly impossible for malicious software to execute on your system in the first place. That, of course, requires much from the user, as well, so the user must take care to not execute anything that is not completely trusted. You could, for example, use one limited user account to do your normal browsing and email and such, and if you feel paranoid, use a different limited user account for those financial matters, and nothing but those financial matters. In this way, even if your "normal use" account became infected with a keylogger, your "financial use" account would not be, and would be safe.
     
  20. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Some good points.
    There is ONE small factor that complicates things for me & many... begins w/ wi and ends w/ fe.
    I'm already doing many things to prevent infections, as in avoiding IE & Outlook like the plague.

    Unfortunately, most users & I don't have the Pro versions.
    Even so, MS is always several steps behind hackers for most all products, not just Windows. And they're not always quick releasing patches. Mozilla finds lots of holes, they just issue fixes much faster.

    Perhaps... I'm going under the assumption it's impossible to guarantee 100% no malware will get by the most secure system. Also, IF malware stole / captured financial PWs, regardless of HOW, it could be disastrous.

    Really? This is interesting. Is that absolutely accurate? If one limited user acct gets infected, others CANNOT be affected, or just less likely to be?

    Suffice it to say for now, won't be storing important PWs, then unencrypting them to use, even though I'm extremely careful about security & never found malware. Must be doing something right.

    What is needed for the "avg user" is a PW mgr that STILL has the PWs encrypted once the DB is opened, & then auto types them using keyscrambling, straight from encrypted form to keyscrambled form, or some variation thereof. Or once the DB is open, PWs are scrambled (if not encrypted), & when it auto types them, it uses keyscrambling AGAIN. I admit, don't know if this is remotely possible now, but imagine one day it will be.
     
  21. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That assumption is certainly a wise one - it is never possible to guarantee that a system is impenetrable, as long as the system is running and used in any way. This type of thinking should lead to further revelations, though: it is impossible to make any usable system 100 % safe from malware, but it is even more impossible still to prevent malware already active on a system from stealing passwords that are used in the context of the account the malware is running in. Or in short, I'm trying to point out that it's a lot less impossible to prevent all malware from ever infecting your system than it is to prevent malware from stealing your passwords in a scenario where the malware is already running on the system. So, the highest security is achieved by concentrating on not letting the malware execute in the first place.

    Short answer is "yes", but unfortunately the long answer is "maybe". As we know, there aren't really many absolutes in life. Assuming that Windows is running with the default settings (or settings more strict than default) from Microsoft with regard to access rights different user account types have, and assuming the file system is NTFS, and assuming no privilege escalation occurs either through user screwup (executing something with admin rights, poof, system wide infection) or a vulnerability in the operating system (it happens, but rare are the cases where someone actually exploits a privilege escalation vulnerability on a Windows system, since the general assumption is that everyone is already admin anyway), then yes, it is accurate.

    Or, in other words, if one limited user account is infected, other limited user accounts absolutely cannot be infected in any way unless
    - the file system is a FAT one, so file permissions are not supported and limited users can easily replace/modify/infect system files
    - the file permissions or user privileges have been changed into insecure ones, by a user with admin rights or by the builder of the system (some big name OEMs seem to love doing this, although less these days than some years ago)
    - the user knows the admin password and executes the malware as admin, at which point malware can do anything it could possibly want to any user account and the entire system
    - the malware uses a privilege escalation vulnerability to get admin rights, and so infects the whole system. This is very unlikely. Very.

    In real life, limited user accounts are generally extremely safe from modification/infection by other limited user accounts. In your case, you could set up a different limited user account for your wife, and not give her the admin password, and that way she wouldn't be able to infect any other accounts on the system. Just make sure the file system is NTFS, keep up with Windows patches (for those privilege escalation vulnerabilities, among others), confirm that file permissions are as they should be (lots of material on this on the net - limited users should not have write access to folders such as Windows or Program Files, except from a few debug/temp locations, depending on the Windows version) and do not give the admin password to any user that is likely to execute untrusted programs. And then you're set. At that point, the only way for one limited user account to infect another would be by using a privilege escalation vulnerability, and the counter to that is keeping Windows patched and keeping the malware off your system by pre-emptive measures like execution protection and even plain-jane anti-malware products.

    Limited user accounts are an extremely underrated thing. In the Windows world, that is. On the Unix side of things, anyone who would run as root/admin while browsing the net or other such things would be called "nuts". :D
     
  22. fred82

    fred82 Registered Member

    Joined:
    Jul 15, 2009
    Posts:
    1
    Here's what you could do, try Billeo. It's a free toolbar that helps manage passwords, pay bills and shop online. I've been using it for a year now. Billeo stores all of my passwords and info on my own machine, so I’m not worried much about billeo losing my credentials.The other thing is that billeo is VeriSign and Truste certified - which means data is safe and secure. I recently downloaded their Firefox 3.5 compatible add-on. https://addons.mozilla.org/en-US/firefox/addon/12715. Works for me!
     
Loading...
Thread Status:
Not open for further replies.