Re: Keylogger resistance



In article <9d6dg.6397$x4.4401@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Tim Smith <reply_in_group@xxxxxxxxxxxxxxxx> wrote:

the user clicks one digit from each row. The starting number in each
row is picked randomly. Mouse logging software won't know what the starting
value of each row was, so the click information will be nearly useless.

A mouse logging software can capture the screen around the click
(at the time the click occurs), thus reavealing the PIN.

IMHO, those annoying virtual pinpads currently imposed by many banks
are of doubtful, maybe negative value:
+ secure against some event loggers (all hardware keyloggers,
and many current spyware/keyloggers/event loggers)
- decrease security against plain shouldersurfing
- vulnerable to (a few) existing remote screenspy programs
- vulnerable to (easily written, maybe existing) event logger software
capturing mouse clicks and surrounding screen
- inconvenient (the one at my bank even has an unbearable bug:
the user must pause between mouseclicks, else clicks get lost).

Bottom line is that MY security is lowered (though the banker probably
is safer), and I'm thinking of switching to another bank because of the
inconvenience.


François Grieu
.