Monday, September 19, 2005

The clack of keystrokes as passwords fly

Gone phishing, clickety-clack--
You may have noticed that you are getting some really clever e-mails that look exactly like messages from banks or payment websites notifying you that your account is in trouble and you need to log onto a URL and fix it. In almost all cases, that’s phishing, phony messages designed to get private information people can use to do you harm. Much of the time you can dismiss it with a laugh, especially when you get notice from a bank you never had an account with. Sometimes you are not so sure. The latest ones are visually indistinguishable from real messages. The best thing to do is ignore the message or contact the website through the usual method and check support. I just did that with three phish messages from “PayPal,” which Paypal never sent. Last month it was “EBay.” Most of these sites have e-mail addresses you can forward messages to to check out, for instance, Also, it appears, enough people are catching on that the number of phishing expeditions has dropped 90% in August, but that is still 1.84 million messages. I’ve had about a dozen.

Some sites will now send the last several letters of your account in legitimate mail, something phishers wouldn’t know. Others will tell you what language they use in real messages and what to look for. It seems to be working.

So, we can worry about something else [SJ Mercury-News, registration required] like someone tuning into the sound of your keystrokes while you punch in your password. Actually, the government has long had the ability to do that to some extent, but now a researcher at Berkeley has made it available to one and all. Plug a $10 microphone into a laptop running speech recognition software and a spellchecker, and you are in business. Li Zhuang, a grad student in computer science, and her teammate were able to associate the sound of individual keys on a keyboard with specific letters and figure out what was being written with 95% accuracy. Zhuang got her idea from research being done at IBM, which was able to decipher the sounds of single keystrokes on the same keyboard by the same typist. She wanted to see if that would work in general. Apparently so.

It’s not clear why the sound of my typing a b on my keyboard is different from my typing an n, but it is. How serious is all this? Some experts point out there are lot easier ways of getting someone’s password. Also, with the right software, you don’t actually need to put in your password through the keyboard. For instance, on a Mac, once you type in a password it is stored in a program called Keychain and whenever you call up a website requiring a password, it enters it without any typing. I do it with my bank daily. I suspect there are similar systems for Windows.

I wonder if loud music works?

No comments: