Are On-Screen Keyboards Really More Secure?

onscreenkeyboard Using an on-screen keyboard to enter passwords and other personal data is a common technique for trying to reduce online fraud and crime. But does it really make any difference?

Lifehacker reader Anton wrote in to ask pretty much that exact question:

A quick question: I use on-screen keyboard when entering my bank passwords, credit card numbers, etc., in an effort to guard against malware. Is this a good idea or am I wasting my time?

Of course, using an on-screen (or 'soft') keyboard isn't always a matter of choice: it's the only option on touchscreen mobiles like the iPhone. Some online banking sites insist on using an on-screen keyboard to enter passwords (like the pictured example from Westpac). There's also an on-screen keyboard built into Windows XP and subsequent versions, which is principally designed to help with accessibility but can also be used as a privacy booster.

The logic behind the on-screen keyboard as a security measure goes like this: it's fairly easy to write a malicious program that tracks all the keystrokes that you type, and hence to steal passwords. It's rather more difficult to track the movement of a mouse around the screen and link that to a specific character, so many malware authors aren't going to bother.

Notice, though, how carefully qualified that last sentence was. It's harder to track a mouse onscreen, but by no means impossible — especially in the case of a fixed on-screen keyboard for a banking application. With an intelligent guess at the most common screen resolution, it wouldn't be too difficult, and modern malware is often tailored to very specific scenarios in just this way.

The bottom line? An on-screen keyboard certainly isn't going to hurt, but you shouldn't have it as your principle method of defence against online intruders (or nosy housemates). Make sure you've got decent security software, hard-to-guess passwords which you change regularly and proper wireless network security for starters. For online banking, two-factor authentication using SMS or a password generator also helps. With credit cards, follow common-sense steps to avoid fraud.


Comments

    I love the iphone keyboard, the way it displays each character in a big window every time I type in a password is awesome.

    The biggest complaint I have about the soft keyboard is that it lowers security.

    I am a Westpac customer, and their soft keyboard makes it possible for someone to look over my shoulder and read my password from a distance.
    After every click, the button I have just pressed remains highlighted until I click the next button.

    Westpac refused to comment when I queried this.

    Just to add my complain to Westpac. I totally agree with Mike McClure. People can easily looks over my sholder and guess password. I plan to move all my banking to Commbank when I have a chance.

    Ace

    Citibank uses the on-screen keyboard too, their small concession to security is the digits are randomized in a 3x4 numberpad.

    There is no way at all that they are more secure. It is extremely easy for someone to make an add-in for your browser so javascript commands are intercepted. The ONLY thing it stops is keyloggers. And as people have said above, it is made less secure by the fact that you have to see it on the screen.

    Screen-capture software breaks the security model, as do the aforementioned person over your shoulder (when I worked in schools this meant I could never safely enter my password).
    On the topic keyloggers are probably _more_ successful for capturing 'good' passwords that 'bad' ones. A keylogger will give you a huge dump of keycodes, which you can translate into characters. If your password is 'd3u*eeGHwe' it will be easier to find via this method than if your password is 'hello' - since the latter could be so easily confused among the rest of the keystrokes. If you want to confuse this, type in your password interspersed with clicking into other windows and typing some characters there. But in this scenario the best password is probably a long-ish plain-English sentence that you can remember. And the best security from the other end is to lock out your account after 3 (or so) failed logins, or a decent re-entry delay.

    Another Westpac customer here, and I agree, on screen keyboard is poor for personal security, and DAMN annoying to use!

    On top of the fact that if you don't own an iPhone you can't do your banking on your mobile (I love my Nokia for it's LACK of on screen keyboard)

    AND They have a 6 character LIMIT for their passwords, which enforce absolutely NO decent complexity.

    In fact I'm considering changing banking institutions just because of their poor online service.

    Why would you have to track the mouse position to capture the input from "soft" keyboards?

    As each character is clicked, it is then converted to an event which is passed on to the area of focus (the password field) which receives the plain-text character exactly the same way as if it was sent from a "hard" keyboard.

    Infact, I wouldn't be surprised if that is the way keyloggers actually (smartly) intercept keystrokes instead of the traditional raw keypresses.

    In Windows, it's quite easy to set up a hook to receive character events as a very simple application.

    My bank cancelled my card today when I queried three transactions: the first was two days ago, for just over $4. The second was today, for a similar amount. And the third, also today, was for over $80.
    Apparently the fraudsters send through a couple of smaller transactions to test the card’s authenticity, then hit you with a big one. The merchants concerned were s/rm inc, vlettercom, and Pacific Xray Corp, respectively. As someone said, check your transactions frequently.
    Pete

    If you were using the Windows on-screen keyboard, rather than a site-specific implementation like Westpac's I am guessing that standard key logger malware might still capture the keystrokes.

    Also, I have heard rumours of malware that take a partial screenshot in the vicinity of the pointer on mouse click events. This would defeat pretty much any on-screen keyboard.

    I'm using KeyScrambler a piece of software that encrypts key strokes within browsers and other software (in particular there is a Firefox add-on). Who knows, it claims to defeat Key loggers by allowing the logging but providing scrambled (encrypted) results. http://www.qfxsoftware.com/.
    In my experience Key Loggers inserted by rootkits are the serious baddy in all of this. Not detected by most AVs, nor your malware checkers (which renders all that security useless - but we know that already, don't we?

    Firstly, using an on-screen keyboard, like the accessibility ones in XP etc, still fire off keyboard events that malware listen to; in other words, they don't circumvent key-loggers.

    And as for onscreen keyboards like Westpac's banking: it's absolutely child's play to track the mouse and take tiny pictures where the user clicks the mouse.

    Basically, because the PC cannot be trusted, banking on the PC will never be safe.

    Essentially, when you only use a single factor authentication - be it a keyboard, onscreen keybord or similar - you are exposed to malware. With the current technologies available, two-factor authentication is the best possible path, and if you use SMS properly - where the code is challenge based (you need to pass username and password challenge first) and then session specific (not a code valid for a period of time, but only for that login session on that computer) you have a protection that is hard to compromise but that also do not force to change peoples behavior by using onscreen keyboards or other tricks that impose more hassle to the user.

    There are several SMS solutions out there, but few that impose this level of security such as sms passcode.

    Lars

    As recently as a few months ago, Schwab only used the first 8 digits of your password for programmatic access to your acct. I don't know if is still like that since I moved off Schwab for other issues with their security.

Join the discussion!

Trending Stories Right Now