Computer Security Myth: Defeating Keyloggers With Onscreen Keyboards

Martin Brinkmann
Jun 15, 2009
Updated • Dec 9, 2014
Security
|
12

I recently read a few articles that gave readers the tip to use onscreen keyboards to defeat keyloggers installed on the computer system.

The idea behind the tip is to prevent that keys are logged because you are not tapping on keys physically. These experts suggest to use onscreen keyboards for important tasks on the Internet such as online banking, making online purchases or communicating with select people.

The theory that keyloggers can be defeated with onscreen keyboards is unfortunately a computer security myth.

It is definitely true that some keyloggers, especially those that only record the keys that the user types on the computer computer keyboard, can be defeated with onscreen keyboards.

There are however advanced keyloggers in circulation that use several methods to record the information anyway. Some are able to record the keys that get clicked on, others may use screenshots to find out about the keys or track mouse movement and the position of open windows on the desktop. It is then a matter of simply reconstructing the mouse movement to know exactly what a user typed on a computer system.

There is only one 100% way of defeating keyloggers and that is to not use computer systems for sensitive information. That's not always practicable and it is possible to reduce the chance that keyloggers are installed by running good antivirus software.

Again: I'm not saying that you cannot defeat some keyloggers by using onscreen keyboards. Depending on their functionality it may very well be possible but you won't be able to defeat them all using these type of programs.

You can check out Raymond's article on the topic where he tested several onscreen keyboards against a variety of keyloggers. Most failed while one seems to have passed his test.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. unixunited said on May 29, 2011 at 2:00 am
    Reply

    The on screen keyboard countermeasure can easily be subverted by hooking the osk.exe process, and then intercepting the virtual key codes.

  2. John said on June 18, 2009 at 4:23 am
    Reply

    There is a free Firefox and IE addin antikeylogger program called Keyscrambler. Check it out at http://www.qfxsoftware.com/.

  3. sunshinekhan said on June 17, 2009 at 3:25 pm
    Reply

    depends entirely upon your system and the protection under the hood…now what kinda keyloggers are we referring to…setup intentionally, malware or what???

  4. Tobey said on June 16, 2009 at 5:48 pm
    Reply

    At least you can bypass hardware keyloggers.. though, these ain’t very common. Perhaps Martin, you could elaborate on some functions of the AKLog software anti-keylogger sometime ?

  5. jayminho said on June 16, 2009 at 7:10 am
    Reply

    i disagree with you. acctually screen keyboards are very useful.
    in order for a keylogger to to record your screen 100% correctly, it would have to be taping or taking pictures, at a 1second or less ratio.
    what is not the case,
    the majority of the keyloggers, i try and counter test, are set to default “take screen shots every 30 seconds” or every 60 seconds and so one.
    well, less than 4 seconds, you input your password on a screen keyboard.
    so, yes, screen keyboards are very effective, though, definetly, not flawless. nothing is as you very well mentioned.

    still if you want to give a try at a good keylogger “defender” i suggest you to try keyscrambler.

  6. Rarst said on June 16, 2009 at 7:09 am
    Reply

    If you got malware already in your system and active – you are pretty much screwed. It must not either get into PC at all or at least must not get access to system. Past that it’s using umbrella against flood. :)

  7. Salz` said on June 15, 2009 at 11:09 pm
    Reply

    I’m not sure if there is something like that, but i would believe that there is an generic interface for all keyboards. And in the end no body can tell you what kind of keyboard you use.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.