Security Virtual Keyboards: Why you should avoid using them

Virtual keyboards are popup keyboards that allow you to enter text into a form. These keyboards appear on the screen and allow you to type in text. On devices such as smartphones in which maximising the viewable screen is crucial, virtual keyboards are ideal because they appear only when they are required. After they are done with they disappear, returning the area they occupied back to the user. In those environments in which miniaturization is not so important, physical keyboards are normally the preferred device to enter text into an application although many computers support virtual keyboards to cater for those instances when a keyboard is not available.

Security Virtual Keyboards (SVKs) have evolved from the standard virtual keyboard and are marketed by organizations that sell or use them as tools that enhance security. These keyboards are normally associated with particular text boxes in a form and will automatically pop up when the person filling the form lands on the text box associated with the SVK.

SVKs are similar to standard virtual keyboards in that both are not physical. They normally differ in that:
        The layout of the keys changes each time the SVK pops up;
        They disable input through a physical keyboard even when a physical keyboard is present;
        What is typed is not shown in the text box (as is the case with password fields).



While they are usually associated with password fields there are organizations that go wild and fire up SVKs with other inputs such as usernames.

SVKs are a bad idea and any security-conscious organization should avoid using them.

  1. Fact: SVKs make use of a pointing arrow (or finger)
In crowded environments such as offices and client-facing environments, observing the position of a moving white arrow or an index finger on a laptop touch screen is easier than observing the letters being punched in with a keyboard.


Source: https://www.pexels.com/photo/business-businessmen-classroom-communication-267507/

  1. Fact: SVKs slow users down.
Since the layout of the keys constantly changes users need to constantly reorientation themselves on where the keys are. This considerably slows down the user thereby making it easier for an onlooker to read what is being entered.

  1. Fact: SVKs advertise themselves to casual hackers.
In an office full of keyboards hearing the tapping of fingers on keys is an expected event. No one’s attention would be alerted. On the other hand, a keyboard-on-the-screen is not a common occurrence and a casual onlooker might be tempted to “discover more”.

  1. Fallacy: SVKs make it difficult for key loggers to grab a password.
Key loggers constitute the simplest and most basic method of eavesdropping. Today software that allows content to be captured go beyond simply reading the keyboard stream; they capture screens as well as all mouse actions thereby allowing SVKs to be circumvented.  So the act of simply moving keys around on a desktop will not circumvent malware that monitors such activity.

In the networked world we live in, most unauthorised eavesdropping has evolved beyond screens, they intercept the stream of communications between the device by tapping into the communication stream between the source of the communication (the user) and the destination (the place the user wants to interact with) or by pretending to be the destination (phishing).

Companies that market SVKs have a commercial intention of convincing us that their product enhances security and some of us take their advertising claims as factual. We need to challenge marketing statements so as to avoid a false sense of security.

Security is a dynamic topic that evolves. Even if something was an effective security tool in the past, changing technologies and how we work could not only make the tool ineffective but could be abused by hackers. One needs to constantly be on the alert.


Comments

Post a Comment

Popular posts from this blog

20150628 Giarratana Circular

Statistics Date: Jun 28, 2015 4:34 pm Distance: 15.21 km Duration: 2h:35m:36s Avg Speed: 5.87 km/h Max Speed: 7.40 km/h Min Altitude: 489 m Max Altitude: 594 m Ascent: 249 m Descent: 261 m Route Open route in new window: https://www.google.com/maps/d/edit?mid=z6HKMq7G_wEk.keh2K8cXD6Cc&usp=sharing Photos (Geotagged) Open photos in new Windows: https://plus.google.com/photos/105470926677245165774/albums/6166646868710719889
Read more

HOWTO setup OpenVPN server and client configuration files using EasyRSA

Image
Introduction OpenVPN allows client computers to tunnel into a server over a single UDP or TCP port securely. This HOWTO article is a step-by-step guide that explains how to create the server and client OpenVPN configuration files that makes this possible. In the process this article explains how to create the public key infrastructure (PKI) so that a client can securely communicate with the server. OpenSSL is the foundation for the security functionality of OpenVPN. For this tutorial you will need the following software: OpenVPN. You can download the latest version of OpenVPN from https://openvpn.net/index.php/open-source/downloads.html EasyRSA is the tool people use to create the Public Key Infrastructure (PKI) for OpenVPN. Download the latest release of EasyRSA from https://github.com/OpenVPN/easy-rsa/releases . There is not installation required. Extract the contents of the archive into a folder. OpenVPN is available on various platforms. The generation of the
Read more

How To Reset the firmware, wifi on GoPro Hero 3, 3+ and sync it with latest version of GoPro Quik

Image
Like others, I fished out my old Go Pro HERO 3+ and found that I could not link to it via WiFi because I had forgotten the password. A quick search on the internet and it seems that there are still many users of this good, albeit old Action Cam. Some had purchased one off eBay or from a second-hand shop while others, like me, found it in a drawer and decided to repurpose it. If the GoPro has not been used for a while it might not be on the latest firmware. Note that these models are no longer supported. The common thread is that without the Wi-Fi SSID and password, it isn't possible to control the camera from the phone using GoPro's Quik software. I referenced these sites: 1.  HERO3/3+ Information And Troubleshooting : This is an official GoPro Site from where you can download the camera firmware and update the camera Wi-Fi for the HERO 3 and HERO 3+. 2.  Software Update and Reset for GoPro Hero 3, 3+ and 4 : This is another source for firmware (covers more models) and there is
Read more