Virtual Keyboards…Another false sense of security measure

I’ve just realized there’s actually a significant number of online banking sites using virtual keyboards as part of the authentication process for the banks customers.  So, instead of using your keyboard to enter the password a virtual keyboard appears on the screen where the user is FORCED to enter his/her credentials by clicking on the virtual keys.  And just to add some more security every time you click on one of the virtual keys the  positions of the virtual keys on the keyboard are shuffled randomly (I’m assuming this is present to thwart an attack where the keylogger malware is also logging the mouse click positions as well).

I’ll go over the claimed security advantage that a virtual keyboard  prevents a spyware (such as a keylogger) from recording your password when you’re typing it.  Since the user is clicking on the mouse over random areas on the screen the attacker will not be able to determine what the keys are.  If the scenario here is to protect against a keylogger device (i.e. a hardware keylogger) then this might be true.  But keep in mind that most keyloggers come in the form of malware infecting your computer.  That is, they are just another software installed on your system.  If the attacker is able to install a keylogger on your system, what is to stop the attacker from installing another software that basically does screen captures once you’re on a e-banking site ?

Sometimes it is a given that you’ll be trading off some usability in return for extra security.  We just need to make sure that the trade-off is worth it.

The trade off here is in the convenience of entering the password.  It goes without saying that it is easier for a user to type a string in a field than use a mouse to click on a virtual keyboard.
I’ve enrolled in one of the online banking services where a virtual keyboard is required.  I have to say it is not the most pleasant experience in terms of data entry.  Naturally, I try to complicate the banking password a bit to protect against password guessing (Of course I usually try to apply some of the concepts I wrote about here but online banks usually impose a limit on what you can enter as a password).  In any case, entering the password using a virtual keyboard takes a long time (sometimes close to 30 seconds or even more), especially when you have to hit the shift key multiple times.  Also, since the password is masked when I’m typing it, I can’t really verify whether or not I’m entering the right thing.  The randomization of the positions of the virtual keys every time I click on the mouse further increases the error rate.  More than I would like, I find myself having to re-enter the password because I have entered the wrong value.

There might even be a chance that we’re actually less secure when using a virtual keyboard.   Since the clicks on the screen are visible, you’re basically risking shoulder surfing in a public place.  It is very easy for a passer-by to look at the screen and take a glance at what you’re entering.  Banks do not usually allow long passwords, so, it is probably within reach of a surfer’s memory.

I would just say the trade-off is just not worth it.  I haven’t really seen a statistic that discloses the number of victims of keylogging malware.  Even if a statistic existed, a key logging malware can easily be transformed into one that captures screenshots.

One would think there are other more effective ways of protecting bank customers from keyloggers.  For starters, customers might want to avoid using public computers.  Maybe the bank itself should check if the customer is accessing the e-banking site from a more familiar location/browser, if not maybe enforce a further authentication barrier. As for virtual keyboards, all what they seems to do is make it more difficult for a legitimate user to access the site.