3
Does the use of virtual keyboards (similar to Google’s search) prevent typed data from being collected by Keyloggers? If yes there is a virtual keyboard that can indicate?
2 answers
7
These solutions are quite naive. When someone uses a feature like this to provide more security or doesn’t know what they’re doing or is just marketing.
Virtual keyboards can be captured easily. When a machine is compromised nothing that is on it can be used with confidence. No use using tricks to avoid collecting sensitive information.
It is true that many keyloggers are not sophisticated and only capture the keyboard itself. But if you want security can not rely on the luck of the infected machine be with a keylogger bad.
I wouldn’t recommend any such software because they just create security illusion, even the most sophisticated ones that try to block screen capture or other protections. Any solution that works, stops working when hackers want.
6
A virtual keyboard could be considered one of the elements that make up an arsenal necessary to increase the level of security of a solution.
It can at least rid the user of a category of information leak, which are the keyloggers based on key capture. If the user does not press a key, a keylogger pure cannot capture the input.
However, if the malware can also capture click events and screen images, so it will be able to identify where the user clicked on the virtual keyboard. To avoid password discovery even with screen capture, a known technique is to put two or more numbers or letters on each button. It’s like this at several Atms.
Even so, a malware specific and more sophisticated could monitor the value of form fields. To mitigate this risk, instead of the virtual keyboard buttons "typing" the same number or letter being displayed, the value could be a randomly generated symbol on the server side for this session. Since the symbol would change with each user access.
Even with all this, um malware installed in the machine could still obtain undue access, but certainly the level of difficulty and the restrictions imposed by these and other techniques can reduce security risks by increasing the level of knowledge required and sophistication of the attack to realize a "invasion".
In practice, I have no data to say how much a virtual keyboard may or may not contribute to improving security. While many financial institutions make use of this resource, global companies, such as Paypal, do not adopt it.
If I were to implement some authentication mechanism in risky applications, I would spend a lot of time studying existing solutions and never adopt any "ready" solution from any blog or tutorial.
-
Complementing, the spy software that was successful some 15 years ago, the script kiddies find easy on the internet, usually capture a rectangle of the screen in the mouse region when you click, and record the keyboard events. This was in the advent of the use of virtual keyboards by the "big fish", who stopped using these solutions precisely because they lost their effectiveness. This fits with your observation about paypal and other global companies.
Browser other questions tagged security-guard keyboard keylogger
You are not signed in. Login or sign up in order to post.
I would say the same of some banking access protection software made in Brazil. A thousand complications artificial for the legitimate user, and a joke for those who really want to copy their credentials.
– Bacco