Antivirus vendor introducing virtual keyboard for secure Ebanking

Antivirus vendor introducing virtual keyboard for secure Ebanking

Summary: Kaspersky's most recent product launch of the Kaspersky Internet Security 2009, is featuring a virtual keyboard "a secure pop-up that enables logins, passwords, bank card details and other important personal information to be entered safely to prevent the theft of confidential information" aiming to protect users from keyloggers, and consequently provide a safer Ebanking experience.

SHARE:

Kaspersky's most recent product launch of the Kaspersky Internet Security 2009, is featuring a virtual keyboard "a secure pop-up that enables logins, passwords, bank card details and other important personal information to be entered safely to prevent the theft of confidential information" aiming to protect users from keyloggers, and consequently provide a safer Ebanking experience. More info :

Kaspersky Virtual Keyboard

"Full details have yet to be confirmed, but it is understood that the program will let users bring up the keyboard from which to enter login details for Web sites such as online banks that might be vulnerable. The on-screen keyboard will cache the keystrokes, protecting them from recording programs that would pick up physical keystrokes coming via the keyboard driver. It's not a new idea but Kaspersky is the first major security vendor to include such a feature in a standard Net security program. "

Would keylogging evolve into clicklogging? Truth is, clicklogging courtesy of a malware has been around since 2006.

Going mainstream with such a feature, means the vendor has built enough confidence in its ability to provide a safer Ebanking experience. However, it doesn't, at least not it its current form, and in respect to the current threatscape that has long forgotten what keylogging is, perhaps due to the two-factor authentication used, so that every decent banker malware out there is taking advatange of form, session, and TAN grabbing rendering SSL and two-factor authentication irrelevant.

Back in 2006, prior to an analysis released by Hispasec (the folks behind Virustotal.com) regarding a banker malware that was successfully defeating virtual keyboards, I made a comment that's still relevant two years later as far as virtual keyboards are concerned :

"Anything you type can be keylogged, but generating videos of possibly hundreds of infected users would have a negative effect on the malware author's productivity, which is good at least for now. Follow my thoughts, the majority of virtual keyboards have static window names, static positions, and the mouse tend to move over X and Y co-ordinates, therefore doing a little research on the most targeted bank sites would come up with a pattern, pattern that should be randomized as much as possible. Trouble is, the majority of phishing attacks are still using the static image locations of the banks themselves, when this should have long been randomized as well. OPIE authentication, suspicious activity based on geotagging anomalies, and transparent process for the customer -- please disturb me with an sms everytime money go out -- remain underdeveloped for the time being."

A year later, proof of concept on defeating Citibank's virtual keyboard was released online that worked even though Citibank's virtual keyboard was displaying the keys in a random position in a virtual keyboard. Ebanking malware is anything but old-fashioned, and so instead of coming up with features that the developers behind the most popular crimeware kits think would work in a real life situation, they've started developing specific modules based on the authentication and sessions of the most popular banks on a per country basis.

It would be very interesting to monitor the developments on the keylogging front, especially now that an antivirus vendor is going mainstream with the feature, meaning it would attract a lot of malicious attention for sure, since users would be logging in using it at many other places next to their bank accounts.

Topics: Banking, Hardware, Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • The price of security

    Security always has a price: any image of security is associated with an assumption of security. At best, that assumption matches the true security. In reality, I believe it always falls slightly short.

    Someone who uses this may decide that they don't need X or Y protection because they have Z virtual keyboard program.
    cmdrrickhunter@...
  • Lame. Here is a better idea...

    For a real virtual keyboard solution that actual makes sense (AES 1-time symmetrical keys) search Yubikey.

    You will thank me later.

    Enjoy ;)


    - futureprogress.net


    (disclaimer: I am not affiliated with the makers of yubikey, just a fan)
    Gabriel Kent
  • Hardware vs Software

    Yubikey and other physical device solutions are good, but only if the software provider uses them.

    In the case of Kapersky they have obviously decided that they would rather integrate security controls into the software package, rather than rely on a hardware device. Of course using both secure software and hardware is probably a much more secure solution. By using a one-time passcode it wouldn't matter if someone captured the keystrokes as they are no longer valid.

    The question then arises - would end-users be willing and able to use a hardware device? The answer is undoubtedly yes. As more companies mandate the use of hardware devices then people will be more and more comfortable using them.

    And in the case of the Citibank virtual keyboard, of course it is not foolproof. Screenshot software has been around for years. If it is set to take a screen shot often enough it would capture the user "typing' on the virtual keyboard. Kapersky will undoubtedly run into the same bad press based on their own "solution" unless there is something provided that remedies this concern.

    MBridge
    MBridge llc