[thelist] Keylogging and pin entry fields (and an attempt at aclean solution)

Ken Schaefer Ken at adOpenStatic.com
Thu Nov 24 18:07:30 CST 2005 

We've looked at these things as part of work we've done for various financial
institutions and others. From what I understand, these types of pads don't
really add very much to the security of the system (and in fact can undermine
the security of the system by making shoulder surfing easier).

Software keyloggers (apparently) also typically log submitted form data -
since this is in the clear, they have the user's PIN. This type of pad would
defeat a hardware keylogger (placed between the keyboard and computer), but
there are other ways of doing this that don't involve javascript at all. For
example, one bank asks for 3 random digits from your account number, and 3
random digits from your password. A keylogger (software or hardware) in this
case never gets the user's entire username or password, making it difficult
for an attacker to do anything with the data.

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Christian Heilmann
Sent: Thursday, 24 November 2005 7:30 AM
To: thelist at lists.evolt.org
Subject: [thelist] Keylogging and pin entry fields (and an attempt at aclean
solution)

I had to deal with a client requirement today that puzzled me. The
product is a banking application and there will be a login that
requires a 4 number pin.

Now, normally I'd have used a password field for that - as it is the
most accessible solution, but the client requested a pin entry pad
like the ones you see on cash machines.

The users should use their mouse to enter the pin.

The reason (not marketing as I originally thought): Keylogging
software that might record the pins users enter. Therefore as a safety
measure the pin pad was requested.

I came up with a DOM solution for the issue and would appreciate some
feedback and testing of it. If it were to be considered good, I will
release it as a download later:

http://www.icant.co.uk/sandbox/pinpad/test.html

More info and comment facility on the blog:
http://www.wait-till-i.com/index.php?p=193

I really wonder if there is a non-JavaScript dependent solution to
this problem. Well, 4 dropdowns with 0 to 9 would be one, but that is
as trackable, isn't it?

--
Chris Heilmann

More information about the thelist mailing list