Some keyloggers can read the Clipboard, too

Dennis o'reilly By Dennis O’Reilly

Several dozen readers responded to WS contributing editor Scott Dunn’s Sept. 10 Top Story on keeping your passwords out of the hands of sneaky keyloggers on untrusted PCs you may be forced to use while traveling.

The most frequent suggestion was to copy passwords from a text file and paste them into password boxes, but many keyloggers — unfortunately — capture any text you paste from the Clipboard.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

Crooks with computers are experts at raiding online bank accounts and making a profit from personal information. Every time you think you’ve outsmarted them with a new defense, hackers find a way around or through it.

Scott described the “revised Vesik method,” which involves typing nonsense characters and mousing them into place to form a real password. It’s admittedly a convoluted way to hide data from keyloggers when you need to sign in to a Web site using a PC that might be infected. Scott acknowledged that the trick is time-consuming and prone to error.

Many readers recommended other programs and techniques to thwart either hardware or software keyloggers. Chris Miller points out the advantages of authentication techniques used by banks in Europe:
  • “I don’t know the position in the U.S., but here in Europe, sensitive Web sites such as [those for] Internet banking are usually configured to defeat keyloggers.

    “The best way is for the bank to supply a token — similar in concept to the SecurID or Vasco two-factor authentication systems that readers working in IT departments may be familiar with — that requires you to insert a bankcard and enter your usual PIN number before it generates a unique key that will allow logon.

    “Even if this is read by a keylogger, it won’t work for any subsequent logon attempts. The drawback is obviously that you need to carry it with you and be able to attach it (via USB) to any public computer you want to use.

    “Alternatively, banks require you to select a long password — say, 12 characters — and then ask at logon for a random subset: e.g., ‘Please enter the 8th, 3rd, and 10th character of your password.’

    “For further protection, these characters may be selected by using drop-down menus, which should defeat most keyloggers.

    “The drawback is a slight weakening against brute-force guessing — you have a chance of guessing correctly if you can make many tens of thousands of attempts — but there are strong limitations on the number of incorrect logon attempts that are allowed before the account is locked (typically three), requiring a phone call to reset the procedure.

    “Simpler still is for the bank to issue a ‘one-time pad’ of randomly generated passwords that you use once and then discard. Obviously, a written pad can be lost, but as long as you don’t keep it with other identifying information — e.g., your account number — this should not be a problem.

    “I think one of the reasons for the different systems in Europe is that here the onus is on the banks to provide security. If your bank account or credit card is ‘hacked,’ any resultant loss is the responsibility of the bank, unless they can demonstrate collusion on the account holder’s part. I understand this doesn’t apply in the U.S.”
Some keylogger software can, in fact, record the choices in drop-down menus. And there are reports of man-in-the-middle attacks that exploit one-time passwords only momentarily, as explained in a blog item by the Washington Post’s Brian Krebs.

But it’s clear that European banks, due to tighter regulation, are ahead of American financial institutions in security practices that defeat run-of-the-mill keyloggers. In the U.S., the Electronic Funds Transfer Act limits consumer liability when someone is the victim of an online theft. There remains little uniformity, however, in online banking.

Scott will discuss additional password-management utilities and techniques in a follow-up article about keyloggers on Sept. 24. Stay tuned!

Chris will receive a gift certificate for a book, CD, or DVD of his choice for sending a comment we printed. Send us your tips via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of
= Paid content

All Windows Secrets articles posted on 2009-09-17: