Virtual Keyboards
Oh for the love of god, I hate, hate, HATE virtual keyboard such as those used on banking sites.
First they make you use the tiny links on them (try hitting a ‘1′ or a ‘i’). Ever heard of setting display: block; on a A element and setting a reasonable width/height, instead of relying on the link’s text width? Then some places use small and capital letters in addition to the usual numeric keypad. Www.jogossantacasa.pt is one of these (yeah, I pay my stupidity tax by playing the Euromillions).
Then some places enhance security by having just a numeric pin code. I wonder how many of those are just 1234, or 0000.
Argh!!! I don’t have keyloggers on my Mac, and even if I did it’s my responsability to keep my computer clean. Because of all those lame people with too many megahertz and little clue on how to use a computer safely, we have this stupid usability nightmare. Oh, how annoying…
1 Comment »
RSS feed for comments on this post. TrackBack URI
Besides, the “virtual keypad” technique only fools hardware-based keyloggers.
You might remember SubSeven, a backdoor doodah for Windows, and it’s associated screenshot grabber. Automate screen capture on each click and you’ve subverted the keypad.
Better, only capture screenshots of the current canvas, and then only when you’ve checked the title bar for ” Internet | Firefox”. Then, do a little image analysis to check for boxes around the pointer and perform OCR.
Presto, you can use the same pipeline you’ve used before, and save the content of password “clicks” in the keylog, right next to the username.
If you’re a CGD (.pt bank) developer, you get bonus points for hashing usernames and passwords using JavaScript *and* submitting them over SSL. Although I can no longer use Safari’s Keychain-based auto-completion (thereby increasing the chances that my bank password is spotted by a shoulder surfer), at least you’ve ensured that a locally-installed IE-proxy (like Norton’s) can’t see the information.
Trade-offs, I guess. Bad ones, in my not-very-humble opinion.
BTW, IE 6 doesn’t honor “display: block” directly on a link. There are documented hack-arounds, but 1) IE 7 probably broke them, and 2) I don’t even remember the details because I can get away with not caring for Internet Explorer’s users (in the drug-using sense).
BTW, I pay *my* stupidity tax at bet-and-lose.