Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]

Filed Under: Featured, Malware, Privacy, Video

Multiple cursorsHere's an interesting piece of work being done by boffins at the Japan Science and Technology Agency (JST).

Many of us are aware of the problem of spyware, designed to snoop upon our computers, and steal files and data.

One common weapon in spyware's arsenal is the ability to seize passwords by intercepting keypresses (known as keylogging) as users log into their email or access their online bank accounts.

Some banks have, of course, responded to this by producing virtual keyboards on their login pages which don't require you to type a password - but instead choose the correct sequence of letters and numbers with your mouse instead.

Virtual keyboard

Of course - as is seemingly always the way with the cybercrime arms race - motivated malware writers responded to this defence, and developed more sophisticated spyware which took screenshots or even a mini-movie in order to grab passwords.

And that's what the Japanese researchers hope to have defeated with their new system. By having multiple cursors randomly moving across the screen, they hope it might make it nearly impossible for passwords to be captured by screen-capturing spyware or shoulder surfers.

It's certainly a fun video, and might make things tricky for a password thief looking over your shoulder - but would it really defeat cybercriminals?

If the Japanese system was widely adopted, is it not possible that - just as malware authors evolved their attacks to steal screenshots rather than just grab keypresses - malware would be developed which would interrogate the computer and ask for the co-ordinates of the mouse cursor?

A screenshot could then be taken with the real cursor's location highlighted in red.

I hate to be a wet blanket, but I'm not convinced this fun research spells the end to password stealing.

What do you think of this research? Do you think it would be a good think if online banks and others adopted it? Or is it just a bit of fun? Leave a comment with your thoughts below.

Hat-tip: Diginfo via Softpedia

, , , , , ,

You might like

19 Responses to Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]

  1. We use this system in our Virtual Keyboard for years :)

  2. Patriot · 413 days ago

    The present legal consequences for identity theft are not a deterrent. The solution would be for them to be executed for their crimes. People have had their lives wrecked and the criminal must be made to pay the price. If the price that they have to pay is high enough, then maybe they will think before they steal.

    • Sam · 413 days ago

      Great idea! But first you need to catch the criminal. We don't seem to be much good at that!

    • Richard · 413 days ago

      <SARCASM>
      Yes, because the death penalty has been so successful in stopping people from committing murder, hasn't it?
      </SARCASM>

      • Vito · 413 days ago

        "<SARCASM>
        Yes, because the death penalty has been so successful in stopping people from committing murder, hasn't it?
        </SARCASM> "

        I think I see your "error", Richard. You're approaching this rationally.

        You're right, of course. But you will never convince the overwhelming majority of your fellow humanoids. The problem is that there is an almost universal belief in the myth that punishment actually provides an effective deterrent. That belief is so deeply entrenched as to effectively constitute a religion. You cannot shake it with rational arguments.

        The threat of punishment DOES provide a deterrent, but only among those who are already disinclined to commit crimes in the first place. It does nothing to deter sociopaths...who, by definition, are the very people who commit crimes.

  3. Freida Gray · 413 days ago

    That looks too distracting to me.

    • I don't think the idea is that the randomly-moving cursors appear *all* the time - I imagine it's meant to be just when you're using a virtual keyboard. :)

      • Balthazar · 410 days ago

        So, it will be too distracting when using the virtual keyboard, then.... :)

  4. Bob · 413 days ago

    I could tell which was the "real" cursor. It was fairly simple to follow its movements.

    • VauE · 409 days ago

      But only if you are matching his peripheral mouse movement with the virtual mouse movements. Otherwise it is nearly impossible.

  5. Psynic · 413 days ago

    How much online banking crime is conducted by shoulder surfers? (Hint: it's called "online
    banking crime" for a reason :-)

    So that leaves malware.

    And...since the real mouse position and the real click locations must be reported to the banking app at some point, the malware can acquire it, too.

    Sure, it might take a while before the crooks figure out the additional code needed to do so. So it will probably leave the crooks in a hopeless situation for...oh, days, probably. Perhaps even a whole week...

    • Craig · 413 days ago

      Exactly!

      How is this going to help against Zeus/SpyEye?

      Spend as much time as you like putting hurdles in front of the user to *Authenticate*. The malware will just wait until you've completed that step, and use your authenticated session.

      We need to move beyond *Authentication* and look at *Authorisation*. Did you really ask for that action? Are you authorised to perform that action? Is it an unusual action or set of actions?

    • Merry · 368 days ago

      What annoys me is that ALL Malware ALREADY intercepts mouse presses.

      To counter that, they developed the "random tile set". Which then caused malware writers to either use memory sniffing to find the "tile set" or make occasional "screenshots".

  6. Bedem · 413 days ago

    As you said, it’s a cybercrime arms race. The virtual keyboards introduced by the banks several years ago lasted few days until the advantage fell back to the hackers. Let’s see how long this one will last, should it be at all mass-introduced to the market. I like the idea, it is fun, but it will do nothing to the systemic weaknesses of the network.

  7. how about multiple keyboards?i know it sounds simple, but simple works in my books

  8. Machin Shin · 413 days ago

    This would work against the low end key logger taking screen shots. I question how good it would do against a video where you could easily slow it down and follow the pointer you want.

    It also does nothing really against shoulder surfer. If I can see your hand on the mouse then following the cursor is really simple. After all, the cursor is following the same movements as the mouse. Watching someones hand is just as good as watching the screen.

  9. JohnC · 413 days ago

    I think this approach would be very effective at preventing someone from stealing your password by looking over your shoulder, but would not be effective against spyware, for the reasons stated in the article.

  10. njorl · 413 days ago

    Fantastic timing - just as everyone's switching to touch-screen tablets.

    Actually, touch screen can do quite a good job of foiling screen-shot recorders, as there's not any necessity to provide visual feedback of which virtual key is under my podgy digit.

    Perhaps Microsoft (and the producers of competing operating systems) can put hooking touch screen messages under privilege control, raising the bar a little further. I don't think there's much need for a non-active application (/window without the input focus) to know what the user's doing with his/her fingers ;-)

  11. Richard Q Sec · 412 days ago

    Complete waste of time! If the machine has been compromised, no amount of UI tweaks will make it more difficult for an attacker to capture credentials.

    Whoever has developed this has a fundamental misunderstanding of how banking malware works today -- it is just as easy to capture the actual password being sent from the browser to the bank server, or query the mouse driver to determine relative movements related to clicks.

    We are seeing banking malware running requests through SSL/TLS stipping proxies, or MiTM browsers TLS sessions with banks. This is UI fluff.

    Its this kind of 'security theater' that makes our lives more difficult without actually adding any appreciable security to an applciation. Back to the drawing board im afraid!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.