46

My bank has issued a new version of their online banking site. This new version has no virtual keyboard to enter the PIN. I asked them how are they protecting me against keyloggers but I didn't receive any answer.

curiousguy
  • 5,028
  • 3
  • 25
  • 27
David Lopez
  • 563
  • 1
  • 4
  • 5
  • 40
    the question is: did they protect against keyloggers before? For example: https://www.raymond.cc/blog/how-to-beat-keyloggers-to-protect-your-identity/ – schroeder Oct 25 '17 at 14:37
  • 54
    Are talismans not necessary anymore to protect against evil spirits? – CodesInChaos Oct 25 '17 at 19:19
  • 5
    My Dutch and British banks have both issued me separate token generators (e.g. [PINsentry](https://en.wikipedia.org/wiki/Chip_Authentication_Program)) into which one enters the PIN, which solves the problem better. – PJTraill Oct 25 '17 at 19:22
  • 10
    Why do you think it's your bank's responsibility to protect you from keyloggers? Keylogging means *your* computer is compromised, not its. – user2752467 Oct 25 '17 at 22:12
  • 4
    I've never seen a virtual keyboard in a banking site. Is this more common outside the US? – Barmar Oct 26 '17 at 04:11
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/67713/discussion-on-question-by-david-lopez-are-virtual-keyboards-not-necessary-anymor). – schroeder Oct 26 '17 at 15:35
  • 1
    @Viezevingertjes we're talking about virtual keyboards on bank sites, implemented with html/css/js, which are not capable of emulating a keystroke a regular keylogger would be able to pick up. – ave Oct 27 '17 at 07:00
  • 2
    Might I suggest changing the question subject line to something like "Why is my bank's website no longer using a virtual keyboard for login?" or "Were virtual keyboards previously an effective technique against keyloggers but no longer helpful?" These forms both avoid **presupposing a false premise**, that they were previously "necessary" or even useful protection. This kind of "presupposing and asserting something wrong in the question" is a practice I used to downvote for; if you don't know you shouldn't be asserting it. – R.. GitHub STOP HELPING ICE Oct 27 '17 at 14:59

3 Answers3

84

Virtual keyboards were an easy-to-implement solution to malware that recorded keystrokes from the keyboard and hardware keyloggers.

But the keylogger software developers quickly adjusted to this new technique (sometimes by simply taking a screenshot focused around where the mouse clicks).

In the end, it is not clear that a virtual keyboard provided any broad benefit. It would certainly defeat a hardware keylogger installed on your keyboard, but that's not the likely threat.

Given that keylogging software expects to also capture virtual keyboards, there is little benefit to maintaining this technology in the broad, likely scenario.

Tests have been done on the effectiveness of virtual keyboards:

https://www.raymond.cc/blog/how-to-beat-keyloggers-to-protect-your-identity/

Community
  • 1
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • "It would certainly defeat a hardware keylogger installed on your keyboard" It would also defeat software keyloggers; filtering for bank url followed by enter, followed by X, followed by a click or enter is much, much simpler to do in a generic way than the framework needed to inspect a specific virtual keyboard and its entry actions. – pmf Oct 26 '17 at 08:02
  • 5
    @pmf unless the virtual keyboard pretends to be a keyboard driver and you are back at square one with regards to software keyloggers. – ratchet freak Oct 26 '17 at 09:09
  • Again, the virtual keyboards of banks are implemented on web stack, and just listening for keystrokes won't give you the password. Taking screenshot doesn't work with my bank for example, as they change all characters to * when a key is pressed, and they scramble key positions after each keypress. Surely some keyloggers might adapt to that but not most. I personally don't use the virtual keyboard but it's probably at least OK when fighting against keyloggers. – ave Oct 27 '17 at 07:05
  • 1
    @Avery sure, and the testing link I included showed that some types of keyloggers are effective. My point is about 'broad benefit'. – schroeder Oct 27 '17 at 10:30
  • Just because a solution is only a partial security improvement, this still does not convince me why it was abolished. IMO, for even a partial security improvement to be abolished, there should be some clear indication of whether there was any harm done by it (or excessive effort...). – AnoE Oct 27 '17 at 14:49
  • @AnoE that's the wrong way to assess the situation. The bank has a *cost* to developing and maintaining the feature. The assessment is a *cost/benefit* comparison. If there is no broad benefit to users, then the costs can easily become too high for it to make sense *for the bank* to maintain. – schroeder Oct 27 '17 at 14:53
  • That is what I am arguing, @schroeder. While the virtual keyboard is hackable, by attacking it directly, it still does provide perfect security against physical loggers (however unlikely) as well as virtual keyloggers that just embed themselves in the keyboard driver/event system of the OS (very likely and easy attack path). I mean, it is obvious "why" they did it (the cost argument). But your answer, as it is, does not mention cost, it can be interpreted as "it was not perfect, and nobody uses key loggers anymore, so they scrapped it" (I am exaggerating, but still, that's my impression). – AnoE Oct 27 '17 at 14:57
  • If the virtual keyboard pretends to be a keyboard driver, then monitoring it would require high enough privileges that a keylogger could just directly inspect memory contents anyway. – guest Nov 18 '17 at 23:14
21

Virtual keyboards are commonly used in banking sites because they have (at least) two neat pros:

  • they protect the password from naive keyloggers
  • they prevent the user from storing the password in a file

But they do have cons:

  • specialized keyloggers can still spy the passwords (see @schroeder's answer for a more in-depth explanation)
  • then prevent usage of complex passwords (12 to 20 random characters) stored in a decent password manager like keepass

As far as I am concerned, I do not like them because of that. But I must admit that they may add some security for non-security-aware users. The problem with them is that as they require a rather weak password (at most 6 to 8 digits), the bank could be blamed in case of compromise.

With standard passwords, users can choose a strong password (and are advised to do so). So if they do not, they are fully responsible in case of compromise and cannot blame the bank.

stkent
  • 103
  • 3
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 6
    why does a virtual keyboard prevent the user to store the password in a file? The user could still store it somewhere and type it in. – Lukas Oct 25 '17 at 20:13
  • 2
    I'm so glad my bank uses 2 factor auth using the chip card they issued to me instead of that kind of crap. – ratchet freak Oct 26 '17 at 15:39
3

One of the motivations behind a virtual keyboard was the risk posed by the usage of pc's in cyber cafes, kiosks etc by users to access banking websites in the past and reliance on password based authentications...With more users now having a mobile/personal devices that risk has come down.Some banking sites would have both options and provide recommendation when to use which.Large scale usage of multifactor/out of the band authentication/verification for banking transactions has also reduced the risk.

If you have a keylogger installed on your machine you have bigger problems.With advanced keyloggers a virtual keyboard is not very effective.

abhijitr
  • 31
  • 2