Print this article  |  E-mail this article  |  Comment on this article

Can Screen Keyboards Foil Fraudsters?

By Brian McWilliams, Guest Columnist

February 17, 2005, 9:29 AM

PERSPECTIVE Citibank UK has introduced a unique method for beating online scammers. When customers log in at Citibank.co.uk, they're now required to enter their passwords using an on-screen keyboard.

According to Citibank, forcing customers to mouse-click their passwords on the pop-up keyboard, rather than typing on the mechanical one on their desks, will "reduce the chance of malicious software attempting to record keystrokes and steal your details."

A demonstration of Citibank's little innovation, which is based on a 1,040-line JavaScript program, is available here. (Windows users can achieve the same basic effect at any Web site via Windows' own on-screen keyboard. Simply type "start - run - osk".)

The Citibank UK screen keyboard makes its appearance at a time when banks are increasingly aware of the dangers of key-loggers and other malware. Earlier this month, a Miami businessman reportedly sued Bank of America after $90,000 was pillaged from his account via a Trojan horse program.

At first glance, Citibank UK's screen keyboard seems like a nifty stopgap solution, and its power could go beyond simply defeating key-loggers. Once users get conditioned to seeing the on-screen keyboard, scammers will find it harder to create convincing spoof sites. (Of course, the bad guys can always download Citibank's JavaScript and incorporate the screen keyboard into their phishing sites.)

I have to question, however, the wisdom of Citibank accommodating log-ins from customers infected with malicious software. Once safely inside the bank's site, the user remains vulnerable to Trojans harvesting other data. If Citibank UK truly wants to protect customers, it arguably would do better to offer free online virus scanning.

Security experts agree that Citibank's screen keyboard is no panacea. Michael Scher, compliance architect for Nexum, Inc., a Chicago-based IT security company, points out that some spyware programs already include the capability to capture cursor movements and mouse clicks. Other programs record all screen activity into a standard AVI movie or animated GIF file, he said.

Scher says relying on passwords for authentication is inherently risky, unless you use one-time passwords in conjunction with a hardware token, such as AOL's PassCode service.

Citibank UK appears to recognize that its screen keyboard isn't the ultimate solution to protecting customers from online scammers. According to the site, the new system is part of an "ongoing security program" that aims at "improving security in a way that does not inconvenience the customer."

Scher notes that both Citigroup and AOL are members of Liberty Alliance, a consortium hoping to develop a single, strong authentication device.

"I'm glad to see a bank thinking about the issues, but their real long-term solution is evident, I think, by their membership in Liberty," says Scher.

Brian McWilliams is a journalist and author of Spam Kings: The real story behind the high-rolling hucksters pushing porn, pills, and @*#?% enlargements.

Add a Comment (13 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Neoprimal

posted Feb 18, 2005 - 7:04 PM

Another idea is to integrate some kind 'online fingerprint recognition' system, then 'suggest' to users who want to be secure to buy some kind of fingerprint recognition device to further protect them. For users that opt out of doing that, getting into their account would be a username and password as usual, for users that opt in then their account would require their username, password and fingerprint.
Yes, phishing sites can get the username and password, but I doubt they'd have the technology to obtain every fingerprint (and even if they got one) exactly how would they duplicate it to then access the persons account?
Just an idea - I may be totally overlooking something or plain wrong, but I don't see why this can't be done.

Score: 0

By yuting

posted Feb 18, 2005 - 7:41 AM

The keyboard shows anyone around you exactly what you typed on screen... No matter how fast your typing is!

A desperate attempt... I doubt it will increase security much though.

Score: 0

By RobertM

posted Feb 17, 2005 - 5:02 PM

"Simply type 'start - run - osk'."

Type where? More like *go* to Start | Run and *then* type simply "osk".

That being said, this idea seems like it will help. Hopefully they also thought of accessibility issues, but I guess as long as it's "tabbable" it may work (but I couldn't seem to get tabbing to work, though I didn't try too much).

Score: 0

By DeadFly

posted Feb 17, 2005 - 12:05 PM

It's not a new idea, but it's good to see it getting more consideration. I think one time passwords are the best way though. It'll probably be hard to beat a logger that captures a movie of the screen, but a way to get around the logging of mouse movements is to have the keybord layout randomly arranged each time (maybe double some letters and have blank keys) so the pattern of movements of the mouse get them nowhere. The fact that keyboard hooks can log everything you type and screen captures get the rest was part of the reasoning behind the "trustworthy computing" initives by Microsoft ( http://tinyurl.com/4utwu )and others( http://tinyurl.com/28ote ) Although they're making it hard to swallow by throwing in digital rights management. The idea is to make it so one program can't snoop on another it's also implemented in hardware (Diebold, one of the companies that makes ATMs and voting machines, goes to great lengths to make sure the communications with the keypad you type you pin in on can't be intercepted. http://www.atfcu.org/display.php?tid=221 ).

Score: 0

By DiGiTaLFX

posted Feb 17, 2005 - 11:49 AM

Just tried the demo. And the keyboard doesn't work on the change password. surely they should have put it there too!

Score: 0

By PC Rat

posted Feb 17, 2005 - 11:11 AM

"scammers will find it harder to create convincing spoof sites. (Of course, the bad guys can always download Citibank's JavaScript and incorporate the screen keyboard into their phishing sites.)"

Bad guys can download the JavaScript right off the Citibank web page and paste it right in the code on their own fraud site, huh ?

Brilliant deduction Sherlock !

The DataRat

Score: 0

By mjm01010101

posted Feb 17, 2005 - 11:06 AM

What prevents phishers from doing the same thing? In fact it now is more possible to scam people because THEY WILL EXPECT this "keyboard" from now on on citibank sites.

A silly effort.

Score: 0

By PaulMWatson

posted Feb 17, 2005 - 11:05 AM

I just want to point out that Standard Bank of South Africa's internet banking service has done something similar for a while now. The pin entry opens up an onscreen keypad that you must use.

Score: 0

By Pipewrench

posted Feb 17, 2005 - 10:03 AM

On Screen Keyboard won't stop anything. And since when is a freaking bank responsible for keeping your computer virus free? Personally I think if you can't manage your own computer and keep it relativly safe you should not be able to own one. Everyone these days thinks that computers are toys and that they should be easy to use. Idiots. :-)

Score: 0

By justinb

posted Feb 17, 2005 - 10:25 AM

i agree with you on the bank not being responsible for keeping your computer virus free... that's kinda like saying large businesses should provide medical treatment to their customers so they don't suddenly die or something...

Score: 0

By horsecharles

posted Feb 17, 2005 - 12:40 PM

Yes, agreed...
though it can be tough in a non high income family environment(& also for someone who unlike folks like us, doesn't wish to become a pc hobbyist): say you're a working parent w. long work hours-- do you get a separate computer for each family member, and as well a separate web connection & peripherals(no networking of anything to preclude rogue entry)? Or/and can we expect such a person(ALL such persons) to become their home network admin, putting site restrictions in place, monitoring network traffic, having to sit there through all that & daily scan before being able to fetch their email?

I actually place more responsibility at the OS maker's feet-- in this case omniprescient MS: their anti-spyware beta is too little too late, though commendable. But their firewall, as well as a bunch of other resource-hogging services, was subpar & an unnecessary effort: much better would it've been to place a post-install restriction w/ an autorun html page containing links to all major firewall, av, spy authors-- so right after install, if windows did not detect firewall, av, & spyblocker in place, one's webaccess would be limited to those security sites. OR/AND: incorporate things like IESpyad, Spywareguard, HijakThis!, mail scanner, etc. WITHOUT buying them out-- letting them stay independent.
A great service to have running regularly by default would be something like a combo spy- blocker/remover/startup & process monitor-- and all processes listed on the report would clickable: linking to a webpage offering a definition(s).

Peace.....

Score: 0

By Pipewrench

posted Feb 17, 2005 - 12:51 PM

I don't agree. People should learn how to use a tool before the jump in head first. THe computer is a tool before anything else. It's not that hard to run antispyware apps and keep antivirus up to date. The problem is that everyone assumes that it's the fault of the OS. It's not. It's the fault of the user. If a person has no time to maintain their tool then they shouldn't buy it. If you don't know how to work on your car you get it serviced by a mechanic. If you don't ever service it eventually it breaks down. Same with a computer. Either learn how to do it yourself or get a professional to clean up your computer every now and then.

Too many users buy a computer and think they will never have to do anything with it. They should expect to pull maintenance on it just like a car.

Maybe they should just go buy an Apple Computer. :)

Score: 0

By horsecharles

posted Feb 17, 2005 - 1:32 PM

I agree w/ everything you say, PiperWrench-- on an invidual basis.

But being realistic: stastistics dictate though, there will always be a certain percentage of.....

Apple has yet a chance to rise further if they're smart about strategic alliances re new technologies: IBM/Sony/Motorola new processor(smaller, cooler 10x faster), terabyte compact discs & terabyte hard drives, Sun grid arrays of processors & ram(no need for bus)--
They could supplant MS if they join up-- after all, at such speeds even a virtual windows would run faster than regular windows does today.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal