Computer Security Myth: Defeating Keyloggers With Onscreen Keyboards

I recently read a few articles that gave readers the tip to use onscreen keyboards to defeat keyloggers installed on the computer system.
The idea behind the tip is to prevent that keys are logged because you are not tapping on keys physically. These experts suggest to use onscreen keyboards for important tasks on the Internet such as online banking, making online purchases or communicating with select people.
The theory that keyloggers can be defeated with onscreen keyboards is unfortunately a computer security myth.
It is definitely true that some keyloggers, especially those that only record the keys that the user types on the computer computer keyboard, can be defeated with onscreen keyboards.
There are however advanced keyloggers in circulation that use several methods to record the information anyway. Some are able to record the keys that get clicked on, others may use screenshots to find out about the keys or track mouse movement and the position of open windows on the desktop. It is then a matter of simply reconstructing the mouse movement to know exactly what a user typed on a computer system.
There is only one 100% way of defeating keyloggers and that is to not use computer systems for sensitive information. That's not always practicable and it is possible to reduce the chance that keyloggers are installed by running good antivirus software.
Again: I'm not saying that you cannot defeat some keyloggers by using onscreen keyboards. Depending on their functionality it may very well be possible but you won't be able to defeat them all using these type of programs.
You can check out Raymond's article on the topic where he tested several onscreen keyboards against a variety of keyloggers. Most failed while one seems to have passed his test.
Advertisement
The on screen keyboard countermeasure can easily be subverted by hooking the osk.exe process, and then intercepting the virtual key codes.
There is a free Firefox and IE addin antikeylogger program called Keyscrambler. Check it out at http://www.qfxsoftware.com/.
depends entirely upon your system and the protection under the hood…now what kinda keyloggers are we referring to…setup intentionally, malware or what???
At least you can bypass hardware keyloggers.. though, these ain’t very common. Perhaps Martin, you could elaborate on some functions of the AKLog software anti-keylogger sometime ?
i disagree with you. acctually screen keyboards are very useful.
in order for a keylogger to to record your screen 100% correctly, it would have to be taping or taking pictures, at a 1second or less ratio.
what is not the case,
the majority of the keyloggers, i try and counter test, are set to default “take screen shots every 30 seconds” or every 60 seconds and so one.
well, less than 4 seconds, you input your password on a screen keyboard.
so, yes, screen keyboards are very effective, though, definetly, not flawless. nothing is as you very well mentioned.
still if you want to give a try at a good keylogger “defender” i suggest you to try keyscrambler.
If you got malware already in your system and active – you are pretty much screwed. It must not either get into PC at all or at least must not get access to system. Past that it’s using umbrella against flood. :)
I’m not sure if there is something like that, but i would believe that there is an generic interface for all keyboards. And in the end no body can tell you what kind of keyboard you use.