Slashdot picked up the NYT Bits article I discussed as one of the security alerts from yesterday’s show. I was so captivated by the lede, cracking those enhanced security tokens, that I completely missed the much more obvious take away. The technique by which attackers are bypassing the tokens is simply key logging, with the added twisted of send keystrokes in near real time.
The implications, then, should be much clearer than I initially made out. Not only are security tokens at risk, but all of the usual exposures created by key logging are in play, from password capture to logging of any other kind of sensitive data usually protected by SSL encryption.
Thankfully, the remote key logging relies on some sort of malware running on a target system. Usual best practices–keeping security software up to date, exercising caution with untrusted sites and communications–should be relatively effective in avoiding this particular nasty trick.