Virtual Keyboards for Passwords

On-Screen Keyboards

On-Screen keyboard Virtual keyboard of PEAs

All PEAs (PEA = Password Encrypting Archive) offer a virtual keyboard to provide an alternative input mechanism for typing the password. Instead of using the real keyboard, the physical keys, you can type your password by clicking a visual keyboard button on your screen.

Virtual keyboards probably increase the risk of password disclosure in certain scenarios by shoulder surfing. This means that if you are in a room full of people, using a virtual keyboard is not such a good idea. But otherwise they can reduce the risk of keystroke logging.

Keylogging

Keylogging means recording the keys stroke to get sensitive informations like passwords. There are both hardware and software key loggers. The price of hardware keyloggers starts at 35$. You can order them via Internet.

You can easily defend hardware keyloggers, but securely defending software keyloggers is almost impossible.

Almost all software keyloggers are able to monitore running programs, mouse clicks and they are also able to record screenshots. They typically make screenshots while a specific program is running and a mouse click is registered.

Prevention of Screenshots

If keyloggers spy on passwords, they do not take a shot of the whole screen, so less storage space is required.

Researchers at the University of Mannheim found that:
Furthermore, the malware can create screenshot of 50 × 50 pixels around the mouse pointer taken at every left-click of the mouse for specific sites. This capability is implemented to defeat visual keyboards, i.e., instead of entering the sensitive information via the keyboard, they can be entered via mouse clicks. This technique is used by different banks and defeats typical keyloggers. However, by taking a screenshot around the current position of the mouse, an attacker can also obtain these credentials.
Thorsten Holz, Markus Engelberth, Felix Freiling carried out a study for the university of Mannheim: „Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones“ (pdf).

The keyboard of the PEAs covers an area around the mouse position when the mouse button was pressed. This will hamper the evaluation of small screenshots around the mouse position.

Limitations of this Approach

However, for any of such strategies there is a simple workaround for keyloggers: Recording the mouse position for every click would make the first strategy useless, registering the mouse position and performing a screenshot one second later or just recording bigger screenshots would make the second strategy senseless.

There is no way to prevent Keylogging safely. But you can hamper some or even most of the existing keyloggers, especially the automated ones.

Conclusion

Virtual keyboards are not a definitive solution against keyloggers, but they can be one building block in the security architecture.



Menu of PeaFactory