On-screen Captures

Rather than have users key-in their passwords some web sites have experimented with on-screen keyboards as a method of secure data entry. This forces keyloggers to do screen captures at every mouse click or every key event. One security startup is offering on-screen keyboard login as a service offering to banks. Again, this relies on the fact that a non-trivial increase in the resources consumed would be re-quired to capture these passwords. The same is not true of the on-screen keyboard offered by Windows XP Accessability tools (this is available under Programs->Accessories->Accessability Tools->On Screen Keyboard).

Unfortunately this emulates keystrokes and sends them to the application that has focus. Even the simplest keylogger will catch all of the entries from the On-screen keyboard as though they were typed.

Five shareware or commercial keylogging programs: HomeKeylogger 1.70, GhostKeylogger, KG-BKeylogger, Spytector 1.2.8 and ProBot were tested. None of them captured passwords entered using the trick we describe here.

THE TRICK
It bears pointing out that this is not a universal durable solution to the problem of keylogging. There are many tricks in the Security space that work well when used by a small number of people, but which will not withstand the attacks that a large deployment can be expected to
bring. The security here comes from the fact that figuring out what an application does with keys is non-trivial for a layer of code that is below that application. Doing a screen capture at every keystroke will reveal which of the keys typed using this method belong to the password (the password field of the browser indicates how many keys have been typed). But we point out that taking a per-keystroke screenshot greatly increases the spyware’s resource consumption (and hence it’s risk of discovery) and harvesting of passwords becomes more difficult to automate.

Nonetheless, the simple mechanism of embedding the password in random keys to be extracted elsewhere is valuable. Here the random keys were inserted manually, and “extracted” them by knowing what the browser allows to fall on the floor. It was pointed out that this can be attacked (though it suffices to give real protection to real users today). A truly secure approach is to have the random keys extracted somewhere other than the untrusted machine. This can be done using a simple proxy server. The user again enters the password embedded in random keys, and the proxy extracts the random keys using a secret shared between the the user and proxy. In this way we can entirely avoid leaving any information about the password on the untrusted machine. Spyware that logs the keys,captures screenshots and monitors all network traffic would still be unable to discover the password without the shared secret:)