My bank makes me enter my password using the mouse. What's up with that?

Question

Internet banking login process for Westpac requires user to enter the password using the mouse. It's annoying, what's up with that? Is it just to try and stop keyloggers on public computers or is there a better reason?

Their mobile app lets you login with the keyboard.

Answer 1

The graphical entry of passwords is initially an attempt to thwart keyloggers. When such things began to appear, keyloggers naturally evolved (the people who write keyloggers have not stopped developing them; they adapt to new conditions) and modern keyloggers are also mouseloggers which record, for each click, a partial snapshot of the screen (a small area surrounding the click point).

Another reason why some banks use graphical password entry methods is because they do not like Web browsers which remember passwords. This can be for legal technicalities: if the browser remembers the password, then the user is not entering it, and this may make it more difficult for the bank in case of some conflict between the bank and the user. But, in practice, as a security measure, the graphical password backfires: if the user cannot have his browser remember the password, he will use another storage medium, for instance a stick-up note.

A more compelling reason, for a bank, to implement a graphical reason is trust management. The banking system foundation is trust: a bank is an entity to which you give your money, on the belief that it will give it back to you whenever you want. But since the bank uses that money (to lend it to other people), it intrinsically relies on the idea that not all its customers will want their money back simultaneously (that would be a bank run). As long as all the customers share that idea, the bank lives. That's the reason why bank buildings are always impressive (in the 19th century, they were all full of stone pillars and iron and marble, with extremely "massive" architecture): this is a conscious display of stability and robustness, so that you think of the bank in those terms.

In the age of the Internet, the graphical password entry is a stone pillar: it establishes a firm psychological distance between the bank and the less serious sites. It would not look good if the online bank Web site was too similar to the site you use to order a pizza. When they log into their bank account, the customers must have a feeling that they enter a "high security" zone in which their safety is taken seriously. The "graphical password entry", like all things graphical, is a nice gimmick for that (humans are visual animals, they react strongly to what they see). The Web site of my bank does not have a graphical password entry, but it takes care to open a popup window with a picture of a padlock, for the same reasons.

Answer 2

I am not familiar with this particular bank, but there are a few possibilities.

1. As you suggested it could be to make key logging more difficult.
2. Is this by chance also Flash? They might be doing some client side encryption or something else on the input data before it is sent
   1. Their devs may find it easier to code this in flash/actionscript compared to JavaScript (I have seen javascript impelmentations of public key encryption on user credentials to limit MiTM)
   2. They want to obfuscate any operations they are doing client side
   3. They want to make it harder for some plugin or other local javacript to interfer
3. Assuming its not just sending the password without performing other manipulations, it could make it harder to script interception or brute force attacks (e.g., you cannot easily script the raw HTTP packets due to manipulations).
4. Maybe they are just trying to look cool
5. Using this system might make it easier to implement something else client side or integrate with some type of OTP or CAPTCHA for the devs to maintain.

There are certainly many intentions, some of which might not add any real security advantage.