How does a virtual keyboard work for security purposes?
I know there are several posts here citing the pros/cons of virtual keyboards to avoid keyloggers , but I didn't see any that went into that particular point:
How do those bank type virtual keyboards work? Where instead if you enter the password, you click on a combination of numbers.
[(1, 4, 6), (2, 3, 5), (7, 8, 9), ...]
What is the logic to ensure more security, obviously in addition to not entering the password explicitly? If I could capture the clicks by x times, can I deduce the password? What is the logic to validate the password and ensure authentication?
1 answers
These keyboards generate the numbers in random positions, which will vary between user accesses. Thus, even if you can know which buttons the user used, you are not sure of the correct password.
For example, assuming a dummy password like 021793. The keyboard could display the following options:
The user must use the buttons in this order:
[0 or 4], [2 or 6], [1 or 5], [7 or 9], [7 or 9], [3 or 8]
You already know which buttons he used this time, but to guess the password at the base of brute force you have a space of 26 = 64 combinations. Remember that the bank will lock the password after a few attempts with error(most banks lock with 3).
The next time the user enters the system, if you capture the clicks again, you will have a set of 64 combinations different to try.
So, in theory, this would make the system safer because it would obfuscate the password. In practice this is great to prevent a person looking over your shoulder from guessing your password. But note that instead of trying to break the password in brute force, an attacker could simply do a statistical analysis of the buttons used.
In other words: when accessing the bank page again some time later, we will have another keyboard. We have again 64 combinations, but not all of these combinations are the same as in the previous set. An attacker would have the divination space greatly reducing by analyzing only the intersections.
If we take the keyboard of the photo and change:
- the first key to [0 or 6];
- the third key for [2 or 4];
We will already know in the second access of the client that the first number of the password is 0, since the first number must be the intersection of sets {0, 4} e {0, 6}. The second number of the password also became easier to guess, for the same reason.
I may have made guessing the password seem easy, but it's not trivial to capture the user's screen. The bank page has its mechanisms to prevent you from watching the clicks. In addition, banks usually also ask for the installation of browser extensions and sometimes even external programs to increase security.
A only way to break the security of such a password accurately is by filming the user with cameras during several different accesses. Maybe you can do it with an office security camera, if the employees in the office use Internet Banking . Or you could use a camera with a very large zoom to film a neighbor as he accesses the bank. However, this type of attack is so elaborate that it becomes cinematic.
In addition, all the what you would get would be to see the user's balance. All the banks I know still require other forms of authentication to allow any account movement.