E-mail List Archives

Re: Keylogging and PIN entry fields


From: Jukka K. Korpela
Date: Nov 24, 2005 3:00PM

On Wed, 23 Nov 2005, Christian Heilmann wrote:

> I had to deal with a client requirement today that puzzled me. The
> product is a banking application and there will be a login that
> requires a 4 number pin.

Sounds unsafe. Even if the connection is safe (https), there's a
considerable risk that phishing can be used effectively to get
user passwords. Where I live, banks use a PIN code _together with_
a single-use code that the user picks up from a list that has been
sent on paper. This greatly reduces the odds of successful phishing.

Phishing is a real security threat. But many experts prefer solving
security problems that they have imagined, rather than the more difficult
problems that actually exist.

> Now, normally I'd have used a password field for that - as it is the
> most accessible solution -

No, it isn't. A normal text input field is more accessible, since the user
can see the numbers (assuming of course that he uses a visual interface).
It might be less secure, but it's more accessible. On the other hand,
the _only_ security that a password field gives is that the password
is hidden from any prying eyes around. This can be completely imaginary,
since if you can look over someone's shoulder, you might as well see
what keys he presses. Note that using a password field does not cause the
data to be encrypted in any way - just masked out in the user interface.

> but the client requested a pin entry pad
> like the ones you see on cash machines.

That's absurd, and it means he's causing real trouble in trying to solve
imaginary problems.

> The users should use their mouse to enter the pin.

What if he has not got a mouse, or cannot move it well enough, due to a
motoric disability?

> The reason (not marketing as I originally thought): Keylogging
> software that might record the pins users enter. Therefore as a safety
> measure the pin pad was requested.

What makes him think that mouse movements cannot be logged?
(Well, that might not be useful to a cracker, since simpler methods
can be used to steal information, once you're inside another person's

Besides, keylogging software means broken security anyway.
Such problems need to be prevented by tools other than making all
application programs hard to use by adding (unavoidably incomplete)
security features into them.

> I really wonder if there is a non-JavaScript dependent solution to
> this problem.

The assumed non-solution to the assumed non-problem cannot be implemented
without scripting. Making it work via server-side scripting (so that each
click on a button causes a transaction between the browser and the server)
would be grotesque (and therefore fit into the approach :-) ).

> Well, 4 dropdowns with 0 to 9 would be one, but that is
> as trackable, isn't it?

Everything is trackable.

Forcing users to use four dropdowns to perform the simple input of four
digits would mean the same as forcing them to click on buttons: it would
add insult to injury without achieving any security. (In fact, in both
cases, the user's operations would be slowed down so that prying eyes have
much better chances of figuring out the digits, especially since the
dialog would take place on screen.)

Jukka "Yucca" Korpela, http://www.cs.tut.fi/~jkorpela/