A Weblog About Topics and Issues Discussed in the Book Spam Kings by Brian McWilliams

« Protest brewing against Internet pioneer | Main | Teen busted for spam extortion attempt »

February 17, 2005

Can screen keyboards foil fraudsters?

ckns-sm.gifCitibank UK has come up with a unique, if potentially flawed, method for beating spyware, key-loggers and other malicious software designed to steal passwords.

As I report in this story at BetaNews, customers who log in at Citibank.co.uk are now required to enter their passwords using an on-screen keyboard.

The idea is to prevent malware from being able to "see" what users type on their physical keyboards. It seems clever at first glance, but the technique isn't actually very secure. (It also comes up way short in the usability department according to this item at BoingBoing.net. )

There's a link to a working demo of the Citibank UK screen keyboard (you don't need to be a customer to try it out) in the article,

Posted by brian at February 17, 2005 10:04 AM


Easy to defeat. Java applet keyboard on phising scam page, customer enters data by way of keyboard, web page grabs data using form grabber and njot lame keylogger and then page says Error and redirects back to the main page of the real site. Then customer tries again and it works.

Then phisher keeps or sells data or uses it right away at the ATM.

Easy hack. No work involved. Lame attempt by banks at trying to solve phishing exploits.

Only way to be 99.9 percent effective is to use retinal scans or combo retinal and fingerprint scans using cheap affordable USB kits made by the banking sector and given to customers for free using the bazillions that banks have already made off of fee increases due to fraud that they themselves allow.

It's all about money, if they really wanted to stop fraud by phishing they could do it in less than a year by using available technolgies that customers would immediately get because customers DEMAND security that banks REFUSE to allow or obtain despite knowing the simple tools to make it work.

As long as Banks make money off of fraud they will do ZERO to remove it and only use the token efforts above to placate an already growing dissatisfaction by the populace with the banking system in place.

If the banks do nothing then they will be accused of doing nothing and making billions off it in increased fees that they do NOT use to actually increase security except for themselves in their own homes with money they pocket from every day consumers that get ripped off day after day while greedy rich bankers make billions off of their backs.

Jimbo JoeBob Jones

Posted by: Jimbo Jones at February 20, 2005 10:55 PM


Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express,
and O’Reilly Media, Inc., disclaims any and all liability for that content, its accuracy, and opinions it may contain.

All trademarks and registered trademarks appearing on spamkings.oreilly.com are the property of their respective owners.

O'Reilly Home | Privacy Policy

© 2004 O'Reilly Media, Inc.
For assistance with this site, email: