Possible Solution To Keyloggers

[luckybit]

why would 2FA not be worth adding immediately as an option on login, to reduce keylogger threat?

If by 2FA you mean something like Google Authenticator with one time use passcodes, that's a solution for authenticating a trusted user to a trusted server resisting eavesdropper playback attacks, if the concern is that the system on which the wallet resides may be compromised it doesn't really help.

We already have technical 2 factor authentication, with the wallet file being one factor and the password being the other.  You need both factors to use the wallet.

A multisig wallet with multifactor authentication is probably the best option.
Next to that then firmware for Trezor.

[luckybit]

wouldnt it be like 2fa?

You can do an implementation of SQRL which is probably the best way to go about it but no one has tried it yet. Maybe it could work?

https://www.grc.com/sqrl/sqrl.htm

[luckybit]

How about letting users log in using a QR code?

Like this:



Click the QR code, camera window pops up letting the user input the password via a QR code. It's optional so it won't put up any extra barriers for the average user. This way I can use a very secure password, not have to remember it and not worry about keyloggers. I know it's technically possible to log video but  this would at least make it somewhat harder for a hacker to go under the radar.

But then who develops the cellphone or smartphone app? or are you talking about twofactor using Google authenticator?

I think we do need stuff like this but I think it should be from Trezor technology rather than smart phones.

[arhag]

Yeah, isolated offline device only makes sense to secure large balances, not every day use funds.

Well then in addition to the password you keep in your head, you better also keep that offline device safely stored in your home (preferably in a waterproof bag put inside a safe). Or just use a paper (doesn't have to be actual paper) backup with an offline computer booting a live Linux environment and save the cost of the extra specialty device.

Better yet use secret sharing to do a M of N split of the multisig backup key and give it to your friends and family. A burglar who steals your laptop and brute forces your client password (or was working with a hacker who had been keylogging your computer) still won't have the other multisig key to steal your cold storage funds because you didn't keep it on a piece of paper in the same home that was broken into. Then you get a backup of your encrypted wallet root key from your cloud storage provider (or alternatively again an M of N shared secret split of the encrypted key kept by friends and family), and you get the M fragments of the other multisig key from friends and family, and that gives you access to your funds.

Anyway, the point is multisig allows for so many interesting possibilities. I can't wait until it is fully implemented.

[Troglodactyl]

I think the ideal with that would be to use multisig with the additional key hosted on an isolated offline device.  To get it done without any specialized hardware you could use a phone in permanent airplane mode as the secure device and communicate the unsigned transaction to it and the signed transaction back from it with QR codes.

I don't know about that. Carrying around a separate device in addition to my regular smartphone just to secure payments for an account with a small balance anyway? Sounds inconvenient. It better be a small balance because otherwise if you get mugged the criminal can take your device (and if it has some password protection, the criminal can demand and test your password while holding a gun to your head). I seems the only benefit you would get is that the third party company wouldn't be able to data mine when and how much I paid for various purchases throughout the day (although I don't think they would need to know which accounts the payments were sent to).

The other compromise would be to have a "wallet account" funded up to say $100 per day that isn't protected by multisig and that you use to make your daily purchases before resorting to the multisig protected balances. If your device gets hacked, you only lose up to $100 or so. Then moving money from your multisig protected balances to the wallet account could be done in lump sums to protect the privacy of your individual purchases (but obviously not your average daily spending history). Although if the third-party company really wanted to data mine your spending habits, they probably still could to some degree with blockchain analysis and monitoring suspected change addresses.

Yeah, isolated offline device only makes sense to secure large balances, not every day use funds.

[arhag]

I think the ideal with that would be to use multisig with the additional key hosted on an isolated offline device.  To get it done without any specialized hardware you could use a phone in permanent airplane mode as the secure device and communicate the unsigned transaction to it and the signed transaction back from it with QR codes.

I don't know about that. Carrying around a separate device in addition to my regular smartphone just to secure payments for an account with a small balance anyway? Sounds inconvenient. It better be a small balance because otherwise if you get mugged the criminal can take your device (and if it has some password protection, the criminal can demand and test your password while holding a gun to your head). I seems the only benefit you would get is that the third party company wouldn't be able to data mine when and how much I paid for various purchases throughout the day (although I don't think they would need to know which accounts the payments were sent to).

The other compromise would be to have a "wallet account" funded up to say $100 per day that isn't protected by multisig and that you use to make your daily purchases before resorting to the multisig protected balances. If your device gets hacked, you only lose up to $100 or so. Then moving money from your multisig protected balances to the wallet account could be done in lump sums to protect the privacy of your individual purchases (but obviously not your average daily spending history). Although if the third-party company really wanted to data mine your spending habits, they probably still could to some degree with blockchain analysis and monitoring suspected change addresses.

[Troglodactyl]

I agree with arubi here. If users start depending on any particular method to input their secret to access their funds, hackers will eventually design trojans to exploit it. Once your OS is compromised you cannot rely on fancy methods of entering your secret into the computer. That will just give users a false sense of security.

This is why multisig is essential. Let the hacker see the funds in your main account, they still won't be able to steal all of your money since the third-party company holding one of the three keys for multsig won't allow a huge transfer of wealth in a 24 hour period without further verification. You could establish your own the limits, for example: if less than $100 will be moved today and other limits haven't been reached, then sign as long as my account has already signed the transaction; if greater than $100 will be moved today or greater than $250 will be moved in the last three days, then require a two-factor authentication code that is only accessible from my smartphone; if greater than $3,000 will be moved in the last week, then have an employee call me on the phone, verify I am the one speaking (by comparing to a previous recording of me), and have me confirm that I want to make the transaction; if greater than $20,000 will be moved in the last week, then require that I come to the nearest facility in person to verify my identity using biometrics and confirm I want to make the transaction.

Multisig is definitely the key.  I'm not sure if I'd use a third party company, but I'd love to have the option and I'm sure it would be popular.  Multisig support drastically increases both security and business flexibility with escrow and dynamic payments.

[Troglodactyl]

why would 2FA not be worth adding immediately as an option on login, to reduce keylogger threat?

If by 2FA you mean something like Google Authenticator with one time use passcodes, that's a solution for authenticating a trusted user to a trusted server resisting eavesdropper playback attacks, if the concern is that the system on which the wallet resides may be compromised it doesn't really help.

We already have technical 2 factor authentication, with the wallet file being one factor and the password being the other.  You need both factors to use the wallet.

Yeah, technically wallet file + password is two required inputs, but having a hardware keyotee identification token that I can physically plug into an usb stick whenever i'm performing an action in the wallet would increase the security massively. Yubikeys also have nfc support, so if we had something similar, you'd be able to only unlock say a mobile wallet if the nfc token is in your hand thats holding the mobile phone.

I think the ideal with that would be to use multisig with the additional key hosted on an isolated offline device.  To get it done without any specialized hardware you could use a phone in permanent airplane mode as the secure device and communicate the unsigned transaction to it and the signed transaction back from it with QR codes.

[arhag]

I agree with arubi here. If users start depending on any particular method to input their secret to access their funds, hackers will eventually design trojans to exploit it. Once your OS is compromised you cannot rely on fancy methods of entering your secret into the computer. That will just give users a false sense of security.

This is why multisig is essential. Let the hacker see the funds in your main account, they still won't be able to steal all of your money since the third-party company holding one of the three keys for multsig won't allow a huge transfer of wealth in a 24 hour period without further verification. You could establish your own the limits, for example: if less than $100 will be moved today and other limits haven't been reached, then sign as long as my account has already signed the transaction; if greater than $100 will be moved today or greater than $250 will be moved in the last three days, then require a two-factor authentication code that is only accessible from my smartphone; if greater than $3,000 will be moved in the last week, then have an employee call me on the phone, verify I am the one speaking (by comparing to a previous recording of me), and have me confirm that I want to make the transaction; if greater than $20,000 will be moved in the last week, then require that I come to the nearest facility in person to verify my identity using biometrics and confirm I want to make the transaction.

[cryptillionaire]

why would 2FA not be worth adding immediately as an option on login, to reduce keylogger threat?

If by 2FA you mean something like Google Authenticator with one time use passcodes, that's a solution for authenticating a trusted user to a trusted server resisting eavesdropper playback attacks, if the concern is that the system on which the wallet resides may be compromised it doesn't really help.

We already have technical 2 factor authentication, with the wallet file being one factor and the password being the other.  You need both factors to use the wallet.

Yeah, technically wallet file + password is two required inputs, but having a hardware keyotee identification token that I can physically plug into an usb stick whenever i'm performing an action in the wallet would increase the security massively. Yubikeys also have nfc support, so if we had something similar, you'd be able to only unlock say a mobile wallet if the nfc token is in your hand thats holding the mobile phone.

[Troglodactyl]

why would 2FA not be worth adding immediately as an option on login, to reduce keylogger threat?

If by 2FA you mean something like Google Authenticator with one time use passcodes, that's a solution for authenticating a trusted user to a trusted server resisting eavesdropper playback attacks, if the concern is that the system on which the wallet resides may be compromised it doesn't really help.

We already have technical 2 factor authentication, with the wallet file being one factor and the password being the other.  You need both factors to use the wallet.

[bobmaloney]

If bitshares were one of the first to incorporate SQRL (wouldn't this work beautifully with KeyID?), it would be yet another feather in the cap.

[pgbit]

why would 2FA not be worth adding immediately as an option on login, to reduce keylogger threat?

[rysgc]

Although it's good idea at this stage it doesn't really matter. Like someone stated before if your computer gets compromised the attacker waits until your logged in, transfers all your btsx and logs off.

[arubi]

Not sure how this helps.
If your computer is compromised, it won't matter how strong your password is or how you input it...

It definitely matters how you input the password. If my computer is compromised with a keylogger and the hacker gets my wallet file, he still won't be able to access it due to the wallet being secured with a strong password.

If someone can run a keylogger on your computer, he can certainly run anything else like software to capture images from the camera.


Anyway, he doesn't even need to do that. Once the wallet is in an unlocked state, he can just transfer any funds to his own account..

This isn't how hacking works. The hacker doesn't literally have complete control over your computer (in most all real world cases). The malicious code would likely:

a) Search for and send the wallet .json file.
b) Log keystrokes and send log every X days.

While it's technically possible to log video, it's nowhere near as common or easy to do.

All that aside though, using a QR code to log in would at the very least allow me to input a strong 100 character password in a user friendly way.

This is how "hacking" works today:


http://en.wikipedia.org/wiki/Remote_administration_software


It's by no way harder or less common to spy on a webcam than to log the keyboard.
I agree a QR code can help you input a strong 100 characters password, but password strength is used against brute force attacks. Not against a hacker already in control of your setup.