Generally speaking, a keylogger is a piece of hardware or software that captures the keystrokes typed at the keyboard. They can be dumb, capturing everything, or smart, to the extent that they can distinguish passwords and login credentials as users type them at the keyboard. Today, common advice is to use the onscreen keyboard to defeat keyloggers. Windows XP comes with a built in onscreen keyboard, where characters are clicked onscreen, rather than typed.
An interesting exchange can be found on this forum http://www.habbos.co.uk/viewtopic.php?id=3705
An excerpt here:
Premium: But can the a keylogger trace the On Screen Keybored?
Clarkylfc: Jord it cannot trace it - a keylogger is a program which records the entered keys! The on screen keyboard is a program and thekeylogger doesnt record programs
This blog entry says that Virtual (Onscreen) keyboards protect against keyloggers and spyware: http://pchere.blogspot.com/2005/07/virtual-keyboards-protect-against.html
An excerpt here:
I enter the usernames and passwords using this keyboard and even if there are any spyware logging keystrokes, they will not get hold of my private information. Why? because you will enter this information by mouse clicks and not keystrokes.
This commentary about online banking on Citibank India suggests that the new login procedure is SAFER. http://www.guide2net.net/mobile_internet/product_reviews/vipul/on-line_banking/index050414.html
An excerpt here:
Now about safety part, start using banks which think of all this thru before you have to worry. In India awareness among foreign bank about password based hacking is high. Citibank recently changed the way we logon to their website to access our accounts. By default it doesn't accept our keyboard input so there is no question of key logger trapping our keystrokes. Citibank uses onscreen keyboard which you use with your mouse, configuration of numeric keys on onscreen keyboard is random and changes every time for additional safeguards. Unlike keyboard strokes, mouse movement/clicks are extremely difficult to track for hacking purposes and that makes it very safer alternative.
In Singapore, not all banks use onscreen keyboards for logins. Some do, and others use hardware tokens in conjunction with login credentials. Some improve on the onscreen keyboard concept by having their keys change positions randomly every time the user accesses the login page. So is this really safe and have these writers we’ve just seen gotten it right? Well sadly the correct answer is NO.
Virtual or onscreen keyboards, randomized or not, are no safer than physical keyboards. While there are no equivalents of hardware devices for physical keyboards, a correctly placed video camera would do the trick. But what about software solutions? How can anyone make sense of mouse clicks? Well, with a little intelligence, a hacker can use your mouse clicks, to reveal what you are “typing” into onscreen keyboards. In August 2005, a proof of concept attack was posted, showing how to overcome Citibank’s virtual keyboard (http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=17684) .
This attack is in a sense limited in scope, as it is targetted for a specific application. Citibank websites in different countries around the world employ differing mechanisms anyway.
For more generic purposes, new generation keyloggers no longer just capture keystrokes. They also capture mouse clicks. You may be thinking how on earth mouse clicks can reveal what you are “typing”. In actual fact, the clicks are not the key. What actually happens is that whenever you click, the keylogger captures a tiny portion of the screen where your mouse cursor is. This can vary from a 10x10 square, to whatever dimensions a hacker specifies. In other words, the hacker is able to “see” whatever you “type”, regardless of where it is on the screen. In other words, virtual/onscreen keyboards are useless in terms of safeguarding your privacy.
Generally speaking, safe practices that could help protect you include:
- never doing internet banking on a public computer, whether this is a computer at a cyber café, or a common desktop in the office
- try not to log in, to anything at all, from public computers. That includes email, online forums and such
- try not to log in, to anything at all, from somebody else’s computer. even if that person is trusted, his computer is not.
No comments:
Post a Comment