What I want to know is whether this device is real or is the message a hoax? Since the website belongs to CDAC, I was not sure.
You can buy it here: http://www.thinkgeek.com/gadgets/security/c49f/ (and probably Ebay / Amazon etc) or make one on your own using an AVR / PIC microcontroller. (I'll do it as a summer project if someone will sponsor it :D )
So yes, looks real to me ;)
Surya
On Sunday 13 June 2010 02:05 AM, Surya Sharma wrote:
What I want to know is whether this device is real or is the message a hoax? Since the website belongs to CDAC, I was not sure.
You can buy it here:http://www.thinkgeek.com/gadgets/security/c49f/ (and probably Ebay / Amazon etc) or make one on your own using an AVR / PIC microcontroller. (I'll do it as a summer project if someone will sponsor it :D )
Thanks for the link. This looks more like an espionage device than a general logging device. As mentioned before, if an organisation or a cyber cafe wants to log keystrokes they can do it properly using the software and networking way. This device is for those who do not own the system or cannot access it directly and want to extract a record of key strokes without the owner knowing about it. So CEOs, MDs, head honchos, managers and computer owners need to watch out for these devices in their systems. Their employee might be watching them, not vice versa.
On Sun, Jun 13, 2010 at 10:15 AM, Rony gnulinuxist@gmail.com wrote:
strokes without the owner knowing about it. So CEOs, MDs, head honchos, managers and computer owners need to watch out for these devices in their systems. Their employee might be watching them, not vice versa.
That is the precise reason why banking websites have a virtual keyboard to enter your passwords.
Regards, NMK.
On Sunday 13 June 2010 12:29:38 Nadeem M. Khan wrote:
On Sun, Jun 13, 2010 at 10:15 AM, Rony gnulinuxist@gmail.com wrote:
strokes without the owner knowing about it. So CEOs, MDs, head honchos, managers and computer owners need to watch out for these devices in their systems. Their employee might be watching them, not vice versa.
That is the precise reason why banking websites have a virtual keyboard to enter your passwords.
I wonder how many people use it? I don't.
On Mon, Jun 14, 2010 at 11:43 AM, Kenneth Gonsalves lawgon@au-kbc.org wrote:
On Sunday 13 June 2010 12:29:38 Nadeem M. Khan wrote:
That is the precise reason why banking websites have a virtual keyboard to enter your passwords.
I wonder how many people use it? I don't.
I do with HDFC NetBanking.
-- Arun Khan
On Monday 14 June 2010 12:03:03 Arun Khan wrote:
That is the precise reason why banking websites have a virtual keyboard to enter your passwords.
I wonder how many people use it? I don't.
I do with HDFC NetBanking.
even on your personal laptop/machine?
I do with HDFC NetBanking.
even on your personal laptop/machine?
Why not! If you are on Wifi... Warm Regards, Mukund Deshmukh, Beta Computronics Pvt Ltd, 10/1, IT Park, Parsodi, Nagpur -440022, INDIA.
Meet us at - K2010, Booth No. 12C40,Düsseldorf, Germany.
On Mon, Jun 14, 2010 at 8:21 PM, Mukund Deshmukh mukund.deshmukh@gmail.com wrote:
I do with HDFC NetBanking.
even on your personal laptop/machine?
Why not! If you are on Wifi...
Precisely! Even though the connection is encrypted it is better to be safe than sorry.
-- Arun KHan
On Tuesday 15 June 2010 10:18:22 Arun Khan wrote:
On Mon, Jun 14, 2010 at 8:21 PM, Mukund Deshmukh
mukund.deshmukh@gmail.com wrote:
I do with HDFC NetBanking.
even on your personal laptop/machine?
Why not! If you are on Wifi...
Precisely! Even though the connection is encrypted it is better to be safe than sorry.
I find hdfc a bit too paranoid. One cannot store the password or the username, but has to type it every time - and every now and then a new password is demanded - and one cannot use the last three passwords used. As a result, I find it very difficult to remember the password.
and tataindicom is totally messed up - on forgot password they ask 'mother's maiden name - and there are two fields to be filled - 'hint question' and 'hint answer' - hint answer I know, but what is hint question?
and axis bank has a funny system of verifying some payments - you are supposed to get an sms with a pin number. This is supposed to come within a minute - at peak hours it takes longer than a minute, by which time the site times out, so everything has to be repeated.
and facebook - these guys have suddenly discovered that my email id - which I have been using for the past 15 years - does not exist!
On 15-Jun-2010, at 10:32 AM, Kenneth Gonsalves wrote:
On Tuesday 15 June 2010 10:18:22 Arun Khan wrote:
On Mon, Jun 14, 2010 at 8:21 PM, Mukund Deshmukh
mukund.deshmukh@gmail.com wrote:
I do with HDFC NetBanking.
even on your personal laptop/machine?
Why not! If you are on Wifi...
Precisely! Even though the connection is encrypted it is better to be safe than sorry.
I find hdfc a bit too paranoid. One cannot store the password or the username, but has to type it every time - and every now and then a new password is demanded - and one cannot use the last three passwords used. As a result, I find it very difficult to remember the password.
That is not paranoid. Its standard corporate security practice. The password has to be changed every 6 months (many corporates ask for it to be done every month). They know most users will not bother to change passwords unless forced.
and tataindicom is totally messed up - on forgot password they ask 'mother's maiden name - and there are two fields to be filled - 'hint question' and 'hint answer' - hint answer I know, but what is hint question?
LOL. I write down the question and answers for key items and keep it in record. More for my banking info ofcourse.
and axis bank has a funny system of verifying some payments - you are supposed to get an sms with a pin number. This is supposed to come within a minute - at peak hours it takes longer than a minute, by which time the site times out, so everything has to be repeated.
Many banks follow this practice. Its called 2-token authentication. It ensures that if someone has seen your password, he cant still get in unless he has flicked your phone too. (in which case, he deserves to get your money, me thinks). But once the password is sent to your phone, its valid for 4 hours or 1st use whichever earlier. With both kotak and Standard Chartered (and earlier with yes bank), the sms generally came in 2-5 min.
and facebook - these guys have suddenly discovered that my email id - which I have been using for the past 15 years - does not exist! -- Regards Kenneth Gonsalves Senior Associate NRC-FOSS at AU-KBC -- http://mm.glug-bom.org/mailman/listinfo/linuxers
On Tuesday 15 June 2010 10:45:02 Saswata Banerjee & Associates wrote:
Many banks follow this practice. Its called 2-token authentication. It ensures that if someone has seen your password, he cant still get in unless he has flicked your phone too. (in which case, he deserves to get your money, me thinks). But once the password is sent to your phone, its valid for 4 hours or 1st use whichever earlier. With both kotak and Standard Chartered (and earlier with yes bank), the sms generally came in 2-5 min.
in axis bank it is only valid for the current session.
On 15-Jun-2010, at 11:07 AM, Kenneth Gonsalves wrote:
On Tuesday 15 June 2010 10:45:02 Saswata Banerjee & Associates wrote:
Many banks follow this practice. Its called 2-token authentication. It ensures that if someone has seen your password, he cant still get in unless he has flicked your phone too. (in which case, he deserves to get your money, me thinks). But once the password is sent to your phone, its valid for 4 hours or 1st use whichever earlier. With both kotak and Standard Chartered (and earlier with yes bank), the sms generally came in 2-5 min.
in axis bank it is only valid for the current session.
one solution is ofcourse, to change your bank the other is to complain bitterly to your relationship manager and ensure he takes it to the top.
-- Regards Kenneth Gonsalves Senior Associate NRC-FOSS at AU-KBC -- http://mm.glug-bom.org/mailman/listinfo/linuxers
On Tuesday 15 June 2010 11:17:49 Saswata Banerjee & Associates wrote:
in axis bank it is only valid for the current session.
one solution is ofcourse, to change your bank the other is to complain bitterly to your relationship manager and ensure he takes it to the top.
I was very happy with axis bank for many years - but now as they are getting bigger they are becoming as bad as the others.
On Tuesday 15 June 2010 10:45:02 Saswata Banerjee & Associates wrote:
On 15-Jun-2010, at 10:32 AM, Kenneth Gonsalves wrote:
On Tuesday 15 June 2010 10:18:22 Arun Khan wrote:
On Mon, Jun 14, 2010 at 8:21 PM, Mukund Deshmukh
mukund.deshmukh@gmail.com wrote:
I do with HDFC NetBanking.
even on your personal laptop/machine?
Why not! If you are on Wifi...
Precisely! Even though the connection is encrypted it is better to be safe than sorry.
I find hdfc a bit too paranoid. One cannot store the password or the username, but has to type it every time - and every now and then a new password is demanded - and one cannot use the last three passwords used. As a result, I find it very difficult to remember the password.
That is not paranoid. Its standard corporate security practice. The password has to be changed every 6 months (many corporates ask for it to be done every month). They know most users will not bother to change passwords unless forced.
Sprinting 100 mtrs to compete in the marathon. Users are going to use simple easily remembered passwords with this type of forced changes.
I use an "algorithm" to mangle a set of characters known password
and tataindicom is totally messed up - on forgot password they ask 'mother's maiden name - and there are two fields to be filled
- 'hint question' and 'hint answer' - hint answer I know, but
what is hint question?
LOL. I write down the question and answers for key items and keep it in record. More for my banking info ofcourse.
If they pose the question, the answer can be guessed, reducing the security to rubbish.
and axis bank has a funny system of verifying some payments - you are supposed to get an sms with a pin number. This is supposed to come within a minute - at peak hours it takes longer than a minute, by which time the site times out, so everything has to be repeated.
Many banks follow this practice. Its called 2-token authentication. It ensures that if someone has seen your password, he cant still get in unless he has flicked your phone too.
Or masqurades as you and has your phone no. changed to his. Dont know what sort of procedures are followed at Axis, but the procedure at UBI is quite unreliable. So a change of address took months, resulting in important stuff being despatched to the old address.
Trying to protect a user from himself is stupidity itself. There are enough holes in the chain as is, and the banks should concentrate on this and improving their abysymal services, rather than idiotic measures like changing passwords.
One of the banks had a small token with an lcd which diplayed a number everytime you pressed a button. When you did a web transaction, the app would ask you to press the token button and enter the displayed number. Of course if someone ficked this from you and knows your username and password, you are going to be in a deep hole.
On Tuesday 15 June 2010 11:53:16 jtd wrote:
I write down the question and answers for key items and keep it in record. More for my banking info ofcourse.
If they pose the question, the answer can be guessed, reducing the security to rubbish.
they pose the question - and then ask for both 'hint question' and 'hint answer'. The most reliable method for password change is a simple email followed by a confirmation on the web - why more sites do not follow this is totally beyond me. Even paypal has realised that most of these silly procedures just keep users out. Of course banks do not need to worry since most of us are too tired of all the procedures to change banks.
On Tue, Jun 15, 2010 at 10:28 AM, Kenneth Gonsalves lawgon@au-kbc.org wrote:
they pose the question - and then ask for both 'hint question' and 'hint answer'. The most reliable method for password change is a simple email followed by a confirmation on the web - why more sites do not follow this is totally beyond me. Even paypal has realised that most of these silly procedures just keep users out. Of course banks do not need to worry since most of us are too tired of all the procedures to change banks.
One of my banks has it simpler. It asks me for just a few letters of the password. The first, third, seventh and 10th for example. That way even if there is a keylogger installed, my whole password is never leaked.
Regards, NMK.
On 15-Jun-2010, at 1:30 PM, Nadeem M. Khan wrote:
On Tue, Jun 15, 2010 at 10:28 AM, Kenneth Gonsalves lawgon@au-kbc.org wrote:
they pose the question - and then ask for both 'hint question' and 'hint answer'. The most reliable method for password change is a simple email followed by a confirmation on the web - why more sites do not follow this is totally beyond me. Even paypal has realised that most of these silly procedures just keep users out. Of course banks do not need to worry since most of us are too tired of all the procedures to change banks.
One of my banks has it simpler. It asks me for just a few letters of the password. The first, third, seventh and 10th for example. That way even if there is a keylogger installed, my whole password is never leaked.
which bank is this ?
Regards, NMK. -- http://mm.glug-bom.org/mailman/listinfo/linuxers
On Tue, Jun 15, 2010 at 12:01 PM, Saswata Banerjee & Associates scrapo@saswatabanerjee.com wrote:
On 15-Jun-2010, at 1:30 PM, Nadeem M. Khan wrote:
On Tue, Jun 15, 2010 at 10:28 AM, Kenneth Gonsalves lawgon@au-kbc.org wrote:
they pose the question - and then ask for both 'hint question' and 'hint answer'. The most reliable method for password change is a simple email followed by a confirmation on the web - why more sites do not follow this is totally beyond me. Even paypal has realised that most of these silly procedures just keep users out. Of course banks do not need to worry since most of us are too tired of all the procedures to change banks.
One of my banks has it simpler. It asks me for just a few letters of the password. The first, third, seventh and 10th for example. That way even if there is a keylogger installed, my whole password is never leaked.
which bank is this ?
HSBC, not the Indian one.
Regards, NMK.
-
Arun Khan -
jtd -
Kenneth Gonsalves -
Mukund Deshmukh -
Nadeem M. Khan -
Rony -
Saswata Banerjee & Associates -
Surya Sharma