I have a question regarding the “security” of using the clipboard for inserting sensitive information in the browser.
Here´s the background to my question.
When doing my online banking I´m supposed to enter my username on the bank´s online-banking page. This is the first step.
Then - in order to complete the login process - I have to enter my personal password (2nd step).
This is a very long one, in order to meet the demands set up by the banking institute.
In order to enter both of these, I always use onboard (on-screen keyboard) instead of my physical keyboard.
So instead of hitting the real keys it´s just a matter of clicking with the mouse.
This is to avoid any potential keyloggers.
To be clear, I have no cause to assume I´ve ever run into keylogger-related problems.
Apart from that I invariably go about my online banking business in a safe sandboxed environment.
My thoughts behind it are just: I want to implement any security mechanism at my disposal. Just to be on the safe side.
Yet I was wondering:
What if I copy the password beforehand (either primary or default clipboard) and then paste it into the respective field.
Would this method be as secure as “typing it out” (or rather: clicking it out) with the help of onboard
Inserting would be a just click after all.
In other words: Would a potential keylogger be able to see the contents of the clipboard at all
I doubt it but I´m by no means sure.
What a great question.
My bank will not allow that idea, it has a design pattern to draw on the screen in the second step process.
Then if it thinks the transaction could be different to my normal actions such as a transfer etc, it messages my phone where there is a special application which asks me to confirm .
So three step process.
But keylogging is a security issue, be interesting to see how others respond, will watch with interest
Hi Rosika,
I think, not a keylogger, but some other malware may be able to see a clipboard
Do all types of copy/paste use the clipboard… I am not sure.?
I guess there is no way to transfer a long password into a banking app without some
form of copy/paste.?
Is it possible to get some program to write its output directly into the banking page of the browser? That would bpass the clipboard.
Regards
Neville
Yes, right.
There´s a third step with me, too. It consists of entering the TAN, which is generated by the ChipTAN generator.
However this is mainly for transactions.
The 2 steps I was referring to are just for login purposes.
If I’m to believe their promises, Proton Pass should bypass the clipboard and insert userid/password in my credit union’s sign-in page directly and securely. On my phone, it uses the fingerprint stored there.
I don’t use a fingerprint on my computer because I can’t find a distro or application for fingerprints anywhere in Linux.
So, Rosika, is a password manager the solution to your question?
O.K., the keyboard logger question is settled then.
As far as any other potential malware (which might access clipboard contents) is concerned…
… I hope to be on the safe side by using the sandbox mechanism
The /xfce4/panel/plugins/libclipman plugin I´m using seems to suggest it saves only the default (not the primary) one.
Well, apart from the way I´ve been doing it with the help of onboard.
The longer the password is the more tedious the clicking procedure gets, of course.
Thanks a lot for your views on the matter, Neville.
I think it’s better to have an uncompromised system without a keylogger
On X11 theoretically any app can access the keystrokes, even inject keypresses. Wayland is more secure in this regard.
I think that protects your host system from worms potentially climbing out of that sandbox. I don’t believe it works the other way, but I don’t know.
Because I understand how important security is to you, Rosika, I urge you to take a look at the protonmail.com suite of offerings–there’s even a cloud storage service coming that looks pretty safe and useful. Cheers!
Thanks, László, for the link. I´ll read the article in due course.
Yes, of course.
I have never had any difficulties with my system or with online-banking.
I was just asking this question out of pure interest.
Copy-and-paste would help me get things done more quickly and it would help avoid typing mistakes.
That´s all.
The way I´m using the sandbox is ideally suited for online banking (according to firefox sandboxing guide:
Private browser setup
Use this setup to access your bank account, or any other site dealing with highly sensitive private information.
The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.
Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:
Don’t use PPA’s, unless you know exactly what’s inside.
Don’t paste commands into you terminal, unless you KNOW what it does.
Don’t paste commands which look like wget && bash or pipe wget to bash like wget -q -O | bash as they execute a script which you can’t see. Download first the script, have a look into it, and decide you want it to run or not
Well, I disagree on this. Sometimes you need to open ports.
But I agree, don’t open unnecessary ports.
Hi Rosika,
Allow me to ask: for such critical passwords, why don’t you find a difficult but easy-to-remember password and write it down manually every time you need to access the bank?
I use Bitwarden and KeypassXC, but the most critical passwords are written on paper
Bet my next suggestion will make everyone jump up and down and say NO !
Have you thought about google registration of user name password.
Just been on french government website, something I dont need to do often so no idea what my user name or password is… clicked the signin button and google filled it in without problem and did not show on the screen what it is part of governemt security. It is similar for uk government site but that does show the info if i click the eyeball icon by the password
Ok I can go into google security, and find the entry. But in theory I did not copy paste or key, so secure ?
I don’t let remote possibilities like this concern me overly, by remote, I mean “extremely unlikely”. In order for something like this to infect my systems, I’d probably have to be doing something risky in the first place, like open email attachments or blindly clicking popups from web sites…
One thing I will note - Keepass2 (not sure about keepassXC) removes passwords you copied into the clipboard after some “interval” or period of time - I think about 10-15 seconds… I think it just blanks the clipboard or something…