Keylogging programs gain sophistication

Thursday, March 15th, 2007
Categorized as: Treasury Direct

A keylogging program captures what you type on your keyboard and emails it to someone who’s up to no good.

According to virtual keyboards provide zero protection, by John C. Sharp, founder of security firm Authentium, state-of-the-art keylogging programs take screenshots with each mouse-click, thereby rendering password systems like TreasuryDirect’s vulnerable.

Rate this post (1 to 5 stars):  1 Votes | Average: 5 out of 51 Votes | Average: 5 out of 51 Votes | Average: 5 out of 51 Votes | Average: 5 out of 51 Votes | Average: 5 out of 5
(Average rating: 5 stars)
Loading ... Loading ...

13 Comments

On March 28th, 2007 Steve the K said:

If what he says is true, we have to hope that the antivirus companies (McAfee, Symantec, Avast, Kaspersky, etc) can keep up with the bad guys to detect and prevent the installation of keyloggers.

This is another example of everyone needing an antivirus and firewall. Of course, some basic intelligence helps, e.g. don’t install strange programs that arrive in email or strange websites.

On October 23rd, 2007 Ken said:

Looks like the TreasuryDirect is introducing access cards for logging in. I wonder if this is for all TreasuryDirect account holders? Here’s the latest email I received:

Dear TreasuryDirect Account Holder,

We are introducing an additional layer of security (multi-factor authentication) to your TreasuryDirect account.

In the next few days, we will be mailing an Access Card and instructions to you at the address shown in your account. The Access Card, which you will use during the login process, will help us verify your identity and help you verify that you are on the authentic TreasuryDirect website.

Please allow 10 days from the date of this e-mail for your Access Card to arrive. After 10 days, if you do not receive your Access Card, please contact us at (304) 480-7711 and select the appropriate option. In about two weeks, a new page will display after you enter your account number and password. At that time, you will need to use your card to access your TreasuryDirect account.

Check the Investor InBox in your TreasuryDirect account for a message about the Access Card and a link to a demonstration of how the card works. Also, please make sure your account contains your correct mailing address.

Thank you for your help.

This message is an automated mailing from the Bureau of the Public Debt.

On October 24th, 2007 Tom Adams said:

Hi Ken - I’ve received this message, too. As far as I can tell, this will be first in online investing accounts.

Tom Adams

On October 28th, 2007 Ken said:

I received the access card in the mail last week. I thought it would be an electronic card which displays alternating random numbers. But it’s just a table with random numbers and letters. Looks like the login system will ask you for the characters that are on specified rows and columns. Seems like a pretty good way to guard against keylogging programs. I would guess each login would request a different row/column. So a keylogger would have to record the info over many logins to be successful. It’s not quite as good as an electronic access card, but it may be good enough, and it’s probably a lot cheaper. I hope banks and brokerages will provide a similar option.

On October 28th, 2007 Tom Adams said:

Ken - Also note that if you and your wife both have TD accounts, you need to keep track of which card is which. Each card is unique. It’s a very simple idea, but it looks effective.

Tom Adams

On December 3rd, 2007 Bill Harrell said:

Just got this email:

Dear TreasuryDirect Account Holder,

We are introducing an additional layer of security (multi-factor authentication) to your TreasuryDirect account.

In the next few days, we will be mailing an Access Card and instructions to you at the address shown in your account. The Access Card, which you will use during the login process, will help us verify your identity and help you verify that you are on the authentic TreasuryDirect website.

Please allow 10 days from the date of this e-mail for your Access Card to arrive. After 10 days, if you do not receive your Access Card, please contact us at (304) 480-7711 and select the appropriate option. In about two weeks, a new page will display after you enter your account number and password. At that time, you will need to use your card to access your TreasuryDirect account.

Check the Investor InBox in your TreasuryDirect account for a message about the Access Card and a link to a demonstration of how the card works. Also, please make sure your account contains your correct mailing address.

Thank you for your help.

This message is an automated mailing from the Bureau of the Public Debt.

On December 3rd, 2007 Bill Harrell said:

I just looked at the tutorial at:

http://www.treasurydirect.gov/indiv/help/TDTutorial/tutorial.htm

Does that make sense to you? Specifically, how they get the three sets of numbers from the grid.

On December 4th, 2007 Tom Adams said:

Bill - It makes sense when you log in. The login process presents you with three row-column coordinates and you enter what’s on your card at those positions.

Your card is different from other people’s cards and the TD computer knows what’s on your card. So basically you have to have the card in your possession to log in.

The cards are being sent to all TD account holders, although they’re doing some each month and it may be a year or so before everyone has them.

Tom Adams

On December 31st, 2007 Crista said:

If you ask me, the TD Access Card is a ROYAL PAIN IN THE RECTUM. I hate it - but thanks to low interest rates, I am not doing much with TD.

They sent a message to my TD account - which I did not log into - in September that they were mailing me the card. I never received the card. I never logged into the account and I never got their message they were sending me a card. Fast forward to November which is the first time I tried to access my account since August. No dice. It wants the info from the security card they “sent” me that never arrived.
There was no way to access my own account. I have to find a phone # (good luck on that) - contact them. They will send another card. Wait. Then can log in. This is BS.

I travel a lot - domestic and overseas. I will NOT carry this card with me. What will I do? Copy the info that is on the card electronically into my computer. How secure is that? This whole setup is just BS.

On April 17th, 2008 Ken said:

I noticed the following security change for managing your savings bond accounts:

Transactions Requiring Paper Forms: For your protection, changes to your bank information and certain security transfers require the submission of a signed and certified paper form.

I haven’t tried changing my bank info for over 3 years, but it looks like that may require a lot of hassles now. Although, it should make it a lot harder for a hacker to clean out one’s account. Do you have any more information on this process? What is a certified paper form?

On April 17th, 2008 Tom Adams said:

Hi Ken - To add or change a bank account for transferring funds from your TreasuryDirect account, you need a form you can only get when logged into TreasuryDirect (at “Manage Direct > Bank Change Form Request”).

You need to download, print out, and take it to your bank to have your signature certified (the same as with paper bonds). It’s called Form PD F 5512 E.

Tom Adams

On April 28th, 2008 Patience said:

I’m with Crista– the Access Card seems like a bigger pain than it’s worth. I hate feeling like I have to become a character in “The Matrix” in order to log in to my account! The annoyance of needing to find the card every time I want to do a transaction makes me actively not want to go visit TreasuryDirect, which would seem to be the opposite of what you would want from a security system.

On December 2nd, 2008 Laura Lehrman said:

this is an impossible situation
I want to access my account
I can’t
I got the card re-sent and now am trying yet again….
is this worth it?, I wonder
probably not
my time is more valuable than this

Comments Closed

June 1, 2010

After six years, over 400 posts, 3,680 real comments, and over 90,000 spam comments (thank you, Akismet, for making managing a blog with comments possible), I am closing public comments on Savings-Bond-Advisor.com. I will contine to update the main articles on this site, but not the comments.

Virtually every question about Savings Bonds has been asked and answered on this site multiple times. Use the search feature (see the box in the gray area near the top of this page) or the detailed menu on the lower part of the home page to find the information you're looking for. If you have a copy of Savings Bond Advisor, you can ask me a question here.

Tom Adams

Savings Bond Calculator



Help

Savings Bond
Questions

Get an answer to your questions from the Treasury's Savings Bonds team.

Click below to ask a question.

Ask the Treasury

TreasuryDirect

Invest online in Savings Bonds or
marketable Treasury securities.

Deal directly with the U.S. Treasury.

More info

Enroll

Log in