Kiwibank have added a new step to their login process, called KeepSafe.

In this step, user knows the answer to a small range of questions they have selected, like “Where were you born” or “What’s your pet’s name?” And when they log in they are prompted with the questions and asked to select random letters from the answer (eg to select the 1st and 5th letters).

The aim is to defeat keyloggers. The user uses their mouse to select letters from a display of the alphabet, and they never type the whole answer, so an attacker who logged mouse clicks would have to capture multiple logins.

My guess is that password-stealing malware is common enough now that it poses a significant risk to banks.

Unfortunately for users, this system is quite inconvenient. It involves an unaccustomed degree of mental and physical dexterity to select the correct letters. It also is unaccessible for people with text only browsers, or who have Javascript turned off (ironically, the very people least likely to be vulnerable to malware).

A friend suggested that their Keepsafe answer would be “Keepsafe is bloody annoying”. This inspired me. I realise now that the savvier user will set all their Keepsafe answers to AAAAAAAAAAAA.

I also wonder whether it wouldn’t be reasonably easy to guess Keepsafe answers. If I were a wily hacker, I’d use my dictionary to compile stats of the most common letters in English words, by word length and position in the word. Let’s see.

#!/usr/bin/python

import string

f = file('/usr/share/dict/words')

counts = [{'all':0},{'all':0},{'all':0},{'all':0},{'all':0},{'all':0}]

# snag all 6 letter words
for line in [l.lower().strip() for l in f.readlines() if len(l) == 7]:
    for i in range(6):
        # count the letters in position i
        letter = line[i]
        counts[i][letter] = counts[i].get(letter, 0) + 1
        # keep a total so we can compute a percentage easily
        counts[i]['all'] = counts[i]['all'] + 1
        
for pos in range(6):
    print "Position %d" % (pos + 1)
    tops = {}
    for letter in string.lowercase:
        tops[letter] = counts[pos].get(letter,0)*100/counts[pos]['all']
    # take the top ten most frequent letters
    for pair in sorted(tops.iteritems(), key=lambda(k,v):(v,k), reverse=True)[0:9]:        
        print "%s %02.2f%%" % (pair[0], pair[1]),
    print

Results:

Position 1
s 11.00% c 7.00% b 7.00% p 6.00% m 6.00% t 5.00% r 5.00% d 5.00% a 5.00%
Position 2
a 18.00% o 15.00% e 13.00% i 10.00% u 9.00% r 7.00% l 5.00% n 3.00% h 3.00%
Position 3
r 10.00% a 9.00% n 8.00% l 7.00% s 6.00% o 6.00% i 6.00% t 5.00% e 5.00%
Position 4
i 10.00% e 10.00% t 8.00% a 7.00% n 6.00% l 6.00% o 5.00% s 4.00% r 4.00%
Position 5
e 27.00% n 7.00% l 6.00% a 5.00% t 4.00% r 4.00% o 4.00% i 4.00% u 2.00%
Position 6
s 36.00% d 11.00% e 9.00% r 8.00% y 6.00% n 5.00% t 4.00% g 3.00% a 3.00%

The distribution of letters is quite skewed, and you get three goes with Keepsafe, so a patient intruder could probably guess a substantial minority of answers.

I’m not sure what the end of this arms race will be.