Citi-Bank Virtual Keyboard (is useless)

[mike () securityfocus com, /at/@securityfocus.com, sharecube () securityfocus com, /dot/@securityfocus.com, com () securityfocus com]

Virtual Keyboards (ala Citibank.co.in) are not very useful. They provide absolutely no protection whatsoever against 
keyloggers.

I have been to the citibank.co.in site and it is clear that even though the virtual keyboard is dynamic, it still 
places characters into a form field. Keyloggers can easily read this and all other fields on the form as plain text.

It is highly misleading to give the appearance of security because the numbers are displayed in some pseudo-random 
fashion.

Someone posted here that it is unfair to criticize to discuss the security aspects of the virtual keyboard because 
there were no other viable alternatives. The exact quote was:

Quote:

"Seriously!! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is 
like saying something as if some other option will really make it hack proof. Can you suggest something really 
hackproof?? ... Huh!!

/quote

The fact that virtual keyboards are marketed as security devices or enhancements makes them fair game for discussion. 
An open consensus will determine whether they are as secure as claimed by their well-intentioned developers. Period.

There are many alternatives. Sharecube (self-plug) makes one as do many other companies.

Mike Podanoffsky
mike at sharecube dot com