Question about Windows On-Screen Keyboard

Following up a link posted by JRViejo in another thread (IE8, Chrome have most momentum in browser wars):

http://www.maximumpc.com/article/features/ultimate_greasemonkey_guide_google_chrome?page=0,1

Among the Greasemonkey scripts that work with Chrome, there's one - Virtual Keyboard Interface - where they state:

My question is, if I use Windows On-Screen Keyboard when I use my credit card, would that protect me from keyloggers? In other words, would a keylogger who installs successfully on my system read the On-Screen Keyboard as well?

 

I've read that they will (read the On-Screen Keyboard as well), but I don't have links handy to point to where I read it.

I take that back... I found a link.

http://www.pcmag.com/article2/0,2817,1978513,00.asp

 

Thanks, for a moment I thought there was a neat simple way to avoid installing a dedicated program to fight keyloggers. Would that apply to the Greasemonkey script as well?

 

Can't answer your question Osaban, but I'm hoping it employs the same technology used in Neo's safekeys. That seems to avoid keyloggers and works as a small .exe.

You type your details, then drag and drop the typed words to your selected field.

If you want the link, see:
http://www.aplin.com.au/?page_id=368

And full features:
http://www.aplin.com.au/?page_id=349

Has a portable version, one small file. It was featured on lifehacker and a few other sites.

 

Thanks Saraceno! It looks interesting and safer than the Greasemonkey script. Do you use it yourself ?

 

It's a good program. I was using the old version which was a simple keyboard.

After you posted, I searched for a website download, as I must have downloaded a version from a couple of years ago, when it was promoted as one of the safest ways to prevent keystrokes being logged.

The new version has a number of features, such as randomly inserting characters into your password, and then removing them just as you go to drag it in, changing the mouse cursor to a 'small grey dot', so screen capture programs don't know which keys you are pressing, a feature where you hover over the keys and it selects the key and so on.

On university, shared work systems etc (I do use it - it runs off my USB - and I've been stung by a keylogger before on a shared system - some people are just 'nosey' I guess - later changed my password). It might not be 100 per cent security, but surely would make it much more difficult for someone to re-trace my login. As the keyboard and clipboard aren't used.

Thanks to your post, I now have a better version.

Some small reviews:

http://www.techsupportalert.com/best-free-onscreen-keyboard-osk.htm


http://windowssecrets.com/reviews/1-Security/107-Best-free-browser-security/

 

Another interesting article:
http://www.techsupportalert.com/improving-public-terminal-security.htm

Another tip - start typing some of your password, with the regular keyboard, and you can drag-drop some other fields, then finish with keyboard to confuse someone checking the logs.

eg. password: August2309
Type: A (keyboard) ugu (SafeKeys - drag/drop) s (keyboard) t23 (Safekeys) 0 (keyboard) 9 (Safekeys)
Keylogger sees - you typing website address, then type some random characters into the URL bar, logger should see the As0, part of your password and then more random characters in the URL bar, so eventually sees in the log first the bank URL (for example - http://www.commbank.com.au/), then jkaskas79As0kadsu808.

Some keyloggers do mark where you click the mouse, as in, click on notepad, click on browser. So if you type all your random details in the browser, might help.

But without confusing myself, I would trust just the safekeys to do the work. Worst case scenario, monitoring program sees bank URL, then safekeys load off USB, then click to login, then close browser. They know you used something to hide your password, but nothing they can do. They install screen capture program, so you use the hover feature and hidden entry, the 'ghost symbol'. They can't see much at all. Besides, you'll notice the system most likely churning away if it was taking screenshots every few seconds.

 

Again thanks for the tips and for suggesting this little program. Key logging is the only thing that leaves me a bit anxious, as a matter of fact I stopped doing bank transactions online as there are too many awful stories going around.

 

Most importantly, you'll notice that:

It protects you against keylogging.
Protects you against clipboard logging.
And mouse position logging (as in, clicked in browser, clicked on taskbar etc) - especially if you select the hover and hidden entry feature.

And the last one above, should protect you against screen grabs.

Another tip, would be, saving this to your free email, downloading it to the desktop on each system you want to run, but saving it as a random name.

Eg., I just deleted the Neo's safekeys part from the filename and the process and description come up as:


So send it to your private email (gmail/gmx.com/hotmail) as '1'. And you can download it to the desktop, and rename it as anything you want, before running. In the logs, a program called '1', or better yet, 'calc.exe' or 'svchost.exe'.

Either way, the person has to wade through a ton of junk, and won't suspect a process called 1, or calc.exe or svchost.exe running as being anything suspicious.

 

Just for your interest Osaban, works in google chrome.

I tested out the drag-drop with the 'August2309' password using the 'ghost feature' where nothing is pressed, or no cursor is seen.




Now if you were worried, a program could track 'Neo's input', even though I selected the ghost feature, you can select to add a ton of extra characters.



When you click the button again, the characters are removed.



No lastly, without boring you too much, it has a feature which 're-orders/scrambles' the actual keyboard and on-screen keyboard. This took me awhile to type in the password, as I had to count across how many keys to hit the key.

To hit the 'A' I had to press in shift and 'J' on the actual keyboard. 'u' was now '0' and so on. I'm not sure how difficult that works, and if a keylogger's keys would be re-ordered as well (someone would have to test, but that may defeat a hardware based keylogger?), but you can see how difficult the program makes it.



I'd use all the options except for the last one above. Renaming the file, the ghost feature, and extra keys. That should do the trick.

 

Well I'm really impressed, it is a little program that offers a lot of possibilities without any impact on the system. It is odd that it is virtually unknown and free. I particularly like the ghost feature. I've already tested it on my Vista system and it works very well.