ON-SCREEN  KEYBOARD

When ever I am in an internet cafe and I see someone using their credit card, usually to book an online flight, they always type their credit card details into the appropriate boxes by hand. And always in number order. In other words. If their card number is 1234 they always type it by hand as 1 2 3 4, when what they should be doing is typing 1 2 3 4 in a random order.


On-Screen Keyboard Security

Fig 1.0 - Type 3

On-Screen Keyboard Security

Fig 1.1 - Cursor Left

On-Screen Keyboard Security

Fig 1.2 - Type 1

On-Screen Keyboard Security

Fig 1.3 - Cursor Right

On-Screen Keyboard Security

Fig 1.4 - Type 4

On-Screen Keyboard Security

Fig 1.5 - Cursor Left Twice

On-Screen Keyboard Security

Fig 1.6 - Type 2

On-Screen Keyboard Security

Fig 1.7 - Cursor Right Twice


What the above does is make it harder for a Key-Logger to guess your numbers. A key-Logger works by storing, into a log file, the Byte Value of each key you press on the keyboard. So when you press number 1 it stores the byte value 49, which is the byte value for number 1. When you press number 2 it stores the byte value 50, which is the byte value for number 2. And so on. So with numbers 1 2 3 4 it stores Byte Values 49, 50, 51 and 52. The log file can also store characters (letters).

Now imagine you are on a Flight website, booking a ticket. As you type in your Name, Address and Credit Card details the log file is recording (saving) those details as key strokes (keys pressed). When the key-logger program detects you have finished booking, because you left the flight website for example, it knows its next job is to upload (send) the log file to its analysing computer as soon as possible. On the other hand, it might upload the log file one piece at a time as you are typing (i.e For every line you type, it sends).

The analysing software knows how to interpret the data inside the log file due to certain information that was added to the log file before it was sent, such as the name of the website. For example. If you ordered your ticket from www.StupidFlightBookers.com the analyser knows how the www.StupidFlightBookers.com website wants your information entered. So if you entered your information as follows....

John Cairns
23 Beach House
Erfurton Road
London
SW2 1RX
Italy
2 Weeks
7th August
21st August
1 Adult
0 Children
Visa
0123456789
10
08
123

.....The key-logger might of added www.StupidFlightBookers.com to the beginning or end of the log file, as an identifier. So if the person(s) behind the scam are only interested in Credit Card details, for example, they would programme the analyser only to read lines 12 to 16. They would know that lines 14 and 15 for example contain the Expiry Date and that line 16 is your CVV number. You could enter your details in no particular order (i.e Address, Card Type, Name and then Holiday Location), but the analyser will probably go through the log file more than once. For example. It might scan the log file from top-to-bottom in order to retrieve information or it might check each line for what it contains. So if it scans line 3 and finds Road, Street or Grove for example it would know it has found the Address line. These kinds of scan techniques are common in the programming world.

So at the end of the day, as long as you enter your details in the order a website is asking (i.e Name, Address, Credit Card Number and so on) you will always be vulnerable. Hence why I recommend you enter your details in the wrong order. Going back to the above 1234 example. If the analyser is looking for four numbers and you enter four numbers you will be vulnerable. However, if you use the cursor trick above the analyser will see the first four Byte Values as 3 (50), Cursor Left (79), 1 (49) and Cursor Right (78) - so not 1 2 3 4 anymore. And even though some key loggers are clever enough not to store non-alphabet keys (such as Cursor Left) inside their log file, by entering your details in a random order should still confuse the key logger. The order above would be 3, 1, 4 and 2.

Better still. Why not enter 20 random wrong numbers before deleting 16 of them (in random order also) and then replace the 4 remaining wrong numbers with correct numbers (again in random order). The key-logger would probably store all of the numbers thinking they are the correct numbers. In other words, if the analyser knows it has to use the first 4 numbers in the log file for something but finds 20 numbers (+ 16 deletes) + 4 correct numbers (= 24 numbers) it will get confused as to which of the 24 numbers are the correct numbers to use. You are mixing up wrong numbers for the key-logger to store, as well as the correct numbers entered not in order. You can use this technique with characters (i.e name and address) as well.


Another trick is to use the On-Screen Keyboard, which can be found inside the Ease Of Access sub-folder (Path Name: START Menu >> ALL APPS >> WINDOWS ACCESSORIES >> WINDOWS EASE OF ACCESS). See the Path Names section if you did not understand the just said.

On-Screen Keyboard Security

Fig 1.8 - Click on ON-SCREEN KEYBOARD to execute (run/launch) the On-Screen Keyboard

On-Screen Keyboard Security

Fig 1.9 - Spell/Type your name by left clicking on each letter of your name

When you have opened the On-Screen Keyboard go onto the internet and find a website where you have to enter information. Click inside one of its Edit Boxes, such as the Name edit box, and then go to the on-screen keyboard and spell/type your name - Click on each letter of your name with the left mouse button. As you click on a character (letter/number) it will be entered into the edit box automatically. Repeat this process for each edit box, especially for the Credit Card Number edit box. This process is just another way to fight against the key-logger - Hopefully, all they will see in their log file is Click, Click, Click where your credit card details should be.

I say hopefully because the key-logger becomes more and more sophisticated as time goes on. For example: Even though they might rely on your laziness not to do the above precautions, they can also be sophisticated enough to emulate your keystrokes (so they know what keys you have actually typed while disregarding your delete and/or cursor movements). And even worse they can also screen-capture (screen copy) your finished details (i.e take a picture of the credit card details screen every 10 seconds or so). All without your knowledge.....until you get a nasty bank statement in the post.

One more thing you can do, to safeguard against the screen-capture technique, is move the On-Screen Keyboard over the web page area you are currently entering details for. For example. Click on the Credit Card Number edit box, move (drag) the On-Screen Keyboard over the not yet filled in credit card number edit box (so it is covered by the On-Screen Keyboard) and then enter the credit card number with the On-Screen Keyboard as described above. Although you would have to check that you have entered the details properly, and so expose the screen details, this method can limit the Key-Logger that takes a picture of your screen - a screen filled with credit card information for example. No method is 100% but at least you are limiting the dangers.


Not all key-logger software is bad. It is also used as a parental tool to monitor children's online activity. Spytech SpyAgent, Ardamax Keylogger and PC Pandora are commercial/professional examples. Read their desciptions and key-logger features on the Top Attack website.