On 12/6/07, Fred Jones <fredthejonester at gmail.com> wrote: > > Erm, if someone has installed a keylogger on your machine, then what > you send back to their server, is still whatever your PIN/password is. > > Perhaps I wasn't clear. My PIN is 123 let's say. When I go to the > homepage today 1 on the graphical keypad is A and 2 is B and 3 is C so I > login with password ABC. But tomorrow 1 is labeled with a Q and 2 Z and > 3 F so I login today with password QZF. Even if you KNOW how I login > this time, it won't help because the next time I login, the password is > different--it's different letters each time I login. Yes, this defeats the keylogger attack. ING has had this for a while. I have wondered whether it is still possible to get the contents of that text box, because presumably the content of the box is your pin and not the letter-translated value. However, it seems odd that they wouldn't go the next step and store the translation algorithm in session and have the keypad output the translated value of your PIN into the box (which would then be translated back to your numeric PIN on the server). -- Matt Warden Cincinnati, OH, USA http://mattwarden.com This email proudly and graciously contributes to entropy.