7

Some web applications (One popular example is Skrill) don't allow input from Numpad for number <input>.

I've seen some local websites here also follow the same procedure. The thing is, all of them are related to e-commerce somehow, the things which raise my curiosity a lot.

What are the implications of such thing?

P.S. By Numpad I mean this part of PC/Laptop keyboards: enter image description here

Eekan
  • 79
  • 1
  • 2
    Don't know if this question is really a duplicate. As I understand it, This measure reduces the chances of shoulder surfing (probably by disallow input of a well-known structured part of the input devices). – Eekan Apr 05 '17 at 15:19
  • 8
    This could be unintentional. if the application is working with the keycodes instead of the resulting characters, it might accidentally ignore the numpad numbers as they produce different codes than regular numbers. – Arminius Apr 05 '17 at 18:01
  • 2
    @Arminius It could be, but why only e-commerce sites? Probably they're using a specific framework and it's the framework fault? – Eekan Apr 06 '17 at 15:33
  • 1
    @Eekan That's what I would think. – Arminius Apr 06 '17 at 15:37

3 Answers3

3

This answer is only speculative, but after I did some digging, this is the most probable solution for me.

The coders wanted to prohibit the input of numeric values in some fields of a web form. To do this they used keyCode values like here. Every key on the keyboard has a specific code, so its input can be identified with an ID. The numpad and the number keys - although giving the same input (numbers) - have different keyCodes.

The number keys have the keyCode values 0 - 9, the numpad values are 96 - 105.

To make it impossible to enter numeric values via keyboard, the input of all keys with the keycode values from 0 - 9 and 96 - 105 was forbidden, thus disabling the numpad.

Tom K.
  • 7,913
  • 3
  • 30
  • 53
0

I have a speculative answer based on @TomK's answer.

IMO it is not a security practice/theatre, but a bug in the software, namely the developers failed to implement their intended behaviour.

As TomK said, every key has a code. Developers of Skrill want you to enter only digits in a certain field. If you are familiar to HTML, Angular, jQuery etc. you know that there are tons of good ways to restrict an input to a numeric value. By "numeric", important, I don't necessarily mean the value is a number, but that it could be a string made of digits (e.g. zip code 00144 is not 144; a number could be 114.3 which is not a zip, etc.).

So while there are plenties of reasonable and reputable ways to restrict the input to digits, probably the developers forced Javascript to refuse everything that is not [0-9], but failed because they are looking at the ID of the key, not at the value the user is typing.

In Angularjs, you would do

<input ng-pattern="^[0-9]+$">

That accepts strokes both from numeric row and key pad.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
-1

I don't know if you use an internet security software or antivirus that disables Number Lock on cetain websites. I have read many posts from software companies that address such things. Their reasoning is mostly due to concern for keylogging. I have never had such issues personally, so any further detail about the issue would be helpful. The only other thing I have found to be an issue with Number Lock, is if you need to use two key strokes to turn it on or off, or if it has been disabled in the OS's settings or in BIOS settings.

DatKat
  • 7
  • 2