Can Screen Keyboards Foil Fraudsters?

PERSPECTIVE Citibank UK has introduced a unique method for beating online scammers. When customers log in at Citibank.co.uk, they're now required to enter their passwords using an on-screen keyboard.

According to Citibank, forcing customers to mouse-click their passwords on the pop-up keyboard, rather than typing on the mechanical one on their desks, will "reduce the chance of malicious software attempting to record keystrokes and steal your details."

A demonstration of Citibank's little innovation, which is based on a 1,040-line JavaScript program, is available here. (Windows users can achieve the same basic effect at any Web site via Windows' own on-screen keyboard. Simply type "start - run - osk".)

The Citibank UK screen keyboard makes its appearance at a time when banks are increasingly aware of the dangers of key-loggers and other malware. Earlier this month, a Miami businessman reportedly sued Bank of America after $90,000 was pillaged from his account via a Trojan horse program.

At first glance, Citibank UK's screen keyboard seems like a nifty stopgap solution, and its power could go beyond simply defeating key-loggers. Once users get conditioned to seeing the on-screen keyboard, scammers will find it harder to create convincing spoof sites. (Of course, the bad guys can always download Citibank's JavaScript and incorporate the screen keyboard into their phishing sites.)

I have to question, however, the wisdom of Citibank accommodating log-ins from customers infected with malicious software. Once safely inside the bank's site, the user remains vulnerable to Trojans harvesting other data. If Citibank UK truly wants to protect customers, it arguably would do better to offer free online virus scanning.

Security experts agree that Citibank's screen keyboard is no panacea. Michael Scher, compliance architect for Nexum, Inc., a Chicago-based IT security company, points out that some spyware programs already include the capability to capture cursor movements and mouse clicks. Other programs record all screen activity into a standard AVI movie or animated GIF file, he said.

Scher says relying on passwords for authentication is inherently risky, unless you use one-time passwords in conjunction with a hardware token, such as AOL's PassCode service.

Citibank UK appears to recognize that its screen keyboard isn't the ultimate solution to protecting customers from online scammers. According to the site, the new system is part of an "ongoing security program" that aims at "improving security in a way that does not inconvenience the customer."

Scher notes that both Citigroup and AOL are members of Liberty Alliance, a consortium hoping to develop a single, strong authentication device.

"I'm glad to see a bank thinking about the issues, but their real long-term solution is evident, I think, by their membership in Liberty," says Scher.

Brian McWilliams is a journalist and author of Spam Kings: The real story behind the high-rolling hucksters pushing porn, pills, and @*#?% enlargements.