Anti-keylogging measures for secure Internet login: An example of the law of unintended consequences

Traditional authentication systems used to protect access to online services (such as passwords) are vulnerable to compromise via the introduction of a keystroke logger to the service user's computer. This has become a particular problem now that many malicious programs have keystroke logging capabilities. When banks first introduced Online Banking services they realised this, and added features to protect users against keystroke logging. In this paper we show, using a real Online Banking system as an example, that if these features are incorrectly implemented they can allow an attacker to bypass them completely and gain access to a user's bank account within a small number of attempts. The vulnerability was initially noticed in a particular Online Banking service, but any system implemented in the way we describe is equally vulnerable.