If you look carefully about how it's implemented, it cannot help if a
Trojan is onboard gathering the requisite login information, such as
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",
the value submitted to the website is the same every time. This
virtual keyboard implementation is not robust against anything but
keylogging trojans. Therefore it's security theatre. As a Westpac
customer, I find this frustrating as I have to use this "feature" in
public places frequently, and I'm more concerned about shoulder
surfing in those places.
An example Trojan which is close to breaking the new virtual keyboard:
http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.q.html
These virtual keyboards violate accessibility requirements (which are
required to be accessible by law here), and do not fix the primary
issue - phishing.
There's little value in getting into any particular user's Internet
Banking session. The value to the phisher is to conduct transactions,
particularly to move funds out of the country. The only way to reduce
the risk of that today is transaction signing. There are many
different ways of doing this. As a Westpac customer, I'd prefer it
they didn't spend good money on useless toys, but on real ways to
reduce fraud and risk to me.
Andrew
On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:
> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
>
> https://online.westpac.com.au/esis/Login/SrvPage
>
- application/pkcs7-signature attachment: smime_p7s
Received on Mar 28 2006
Intro
