These keyboards generate the numbers in random positions, which will vary between user accesses. So, even if you manage to know which buttons the user used, you are not sure of the correct password.
For example, assuming a dummy password like 021793. The keyboard could display the following options:
The user must use the buttons in that order:
[0 or 4], [2 or 6], [1 or 5], [7 or 9], [7 or 9], [3 or 8]
You already know which buttons he used this time, but to guess the password on the basis of brute force you have a space of 26 = 64 combinations. Remember that the bank will lock the password after few attempts with error (most banks lock with 3).
Next time the user enters the system, if you capture the clicks again, you will have a set of 64 different combinations to try.
So, in theory, that would make the system safer because it would obscure the password. In practice this is excellent to prevent a person looking over their shoulder from guessing their password. But note that instead of trying to break the password in brute force, an attacker could simply do a statistical analysis of the buttons used.
In other words: when you access the bank page again some time later, we will have another keyboard. We have again 64 combinations, but not all these combinations are the same as the previous set. An attacker would have the guesswork space greatly reducing analyzing only the intersections.
If we take the photo keyboard and change it:
- The first key to [0 or 6];
- The third key to [2 or 4];
We will already know on the second access of the client that the first password number is 0, because the first number must be the intersection of the sets {0, 4} and {0, 6}. The second password number is also easier to guess for the same reason.
I may have made guessing the password look easy, but it is not trivial to capture the user screen. The bank page has its mechanisms to prevent you from watching the clicks. In addition banks usually also require the installation of extensions for the browser and sometimes even external programs to increase security.
The only way to break the security of such a password with accuracy is to film the user with cameras during several different accesses. Maybe you can do it with an office security camera in case the office employees use it Internet Banking. Or you could use a camera with a very large zoom to shoot a neighbor while he accesses the bank. However, this type of attack is so elaborate that it is even cinematic.
Besides, all you could get was to see the user’s balance. All banks I know still require other forms of authentication to allow any account movement.
Great answer, congratulations.
– Paulo Martins
Thanks for the answer! I was curious mainly by the statistical analysis in relation to click capture. Very well explained.
– Leonardo Pessoa