E-mail List Archives
Thread: Keylogging and PIN entry fields
Number of posts in this thread: 4 (In chronological order)
From: Christian Heilmann
Date: Thu, Nov 24 2005 9:40AM
Subject: Keylogging and PIN entry fields
No previous message | Next message →
I had to deal with a client requirement today that puzzled me. The
product is a banking application and there will be a login that
requires a 4 number pin.
Now, normally I'd have used a password field for that - as it is the
most accessible solution - but the client requested a pin entry pad
like the ones you see on cash machines.
The users should use their mouse to enter the pin.
The reason (not marketing as I originally thought): Keylogging
software that might record the pins users enter. Therefore as a safety
measure the pin pad was requested.
I came up with a DOM solution for the issue and would appreciate some
feedback and testing of it. If it were to be considered good, I will
release it as a download later:
http://www.icant.co.uk/sandbox/pinpad/test.html
More info and comment facility on the blog:
http://www.wait-till-i.com/index.php?p=193
I really wonder if there is a non-JavaScript dependent solution to
this problem. Well, 4 dropdowns with 0 to 9 would be one, but that is
as trackable, isn't it?
--
Chris Heilmann
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/
Binaries: http://www.onlinetools.org/
From: Jukka K. Korpela
Date: Thu, Nov 24 2005 3:00PM
Subject: Re: Keylogging and PIN entry fields
← Previous message | Next message →
On Wed, 23 Nov 2005, Christian Heilmann wrote:
> I had to deal with a client requirement today that puzzled me. The
> product is a banking application and there will be a login that
> requires a 4 number pin.
Sounds unsafe. Even if the connection is safe (https), there's a
considerable risk that phishing can be used effectively to get
user passwords. Where I live, banks use a PIN code _together with_
a single-use code that the user picks up from a list that has been
sent on paper. This greatly reduces the odds of successful phishing.
Phishing is a real security threat. But many experts prefer solving
security problems that they have imagined, rather than the more difficult
problems that actually exist.
> Now, normally I'd have used a password field for that - as it is the
> most accessible solution -
No, it isn't. A normal text input field is more accessible, since the user
can see the numbers (assuming of course that he uses a visual interface).
It might be less secure, but it's more accessible. On the other hand,
the _only_ security that a password field gives is that the password
is hidden from any prying eyes around. This can be completely imaginary,
since if you can look over someone's shoulder, you might as well see
what keys he presses. Note that using a password field does not cause the
data to be encrypted in any way - just masked out in the user interface.
> but the client requested a pin entry pad
> like the ones you see on cash machines.
That's absurd, and it means he's causing real trouble in trying to solve
imaginary problems.
> The users should use their mouse to enter the pin.
What if he has not got a mouse, or cannot move it well enough, due to a
motoric disability?
> The reason (not marketing as I originally thought): Keylogging
> software that might record the pins users enter. Therefore as a safety
> measure the pin pad was requested.
What makes him think that mouse movements cannot be logged?
(Well, that might not be useful to a cracker, since simpler methods
can be used to steal information, once you're inside another person's
computer.)
Besides, keylogging software means broken security anyway.
Such problems need to be prevented by tools other than making all
application programs hard to use by adding (unavoidably incomplete)
security features into them.
> I really wonder if there is a non-JavaScript dependent solution to
> this problem.
The assumed non-solution to the assumed non-problem cannot be implemented
without scripting. Making it work via server-side scripting (so that each
click on a button causes a transaction between the browser and the server)
would be grotesque (and therefore fit into the approach :-) ).
> Well, 4 dropdowns with 0 to 9 would be one, but that is
> as trackable, isn't it?
Everything is trackable.
Forcing users to use four dropdowns to perform the simple input of four
digits would mean the same as forcing them to click on buttons: it would
add insult to injury without achieving any security. (In fact, in both
cases, the user's operations would be slowed down so that prying eyes have
much better chances of figuring out the digits, especially since the
dialog would take place on screen.)
--
Jukka "Yucca" Korpela, http://www.cs.tut.fi/~jkorpela/
From: Robinson, Norman B - Washington, DC
Date: Fri, Nov 25 2005 9:40AM
Subject: RE: Keylogging and PIN entry fields
← Previous message | Next message →
Barring rational reasons that this is the wrong approach, (i.e., if
you've got a keylogger on your system other things are probably
compromised such that a remote user could be viewing your entire
session) your solution seems sound and accessible.
Keyboard access works. I can scale the display with the font size. Works
when style sheets are disabled.
I didn't see a submit feature with the JavaScript disabled, but assume
you are simply prototyping a potential solution. I'd hate to have a
submit event on the last dropdown in case I accidentally hit the wrong
number.
There are always reasons, some unsound that users want to implement
things. You've done a good job making their content accessible.
Excellent!
~Norman Robinson
From: Webmaster
Date: Fri, Nov 25 2005 9:00PM
Subject: Re: Keylogging and PIN entry fields
← Previous message | No next message
Hi Chris,
Have a look here http://www.enetplanet.com/kb_fr/
This is the whole on-screen keyboard. Note that one can insert letters
with this virtual keyboard in the middle of the text. Besides it is
available in several languages. In principle I can do it in any
language, even in such as, say, Hebrew, where one has to write from
right to left.
So, I mean not only a pin, but the real passwords in any language are
possible with this approach. Besides there is the drop down on this
keyboard with all the symbols belonging the encoding. So a password can
be with symbols too!
brgds Alex
>
>