The INGDirect virtual pinpad changes the arrangement of the numbers everytime it loads and hides them when you click. That does provide some protection.

I keep seeing websites use those things, and it drives me utterly insane. Not only is it an onscreen keyboard, but nothing stays still when I'm using the damn thing. I hope more websites don't think it's a good idea.

I was under the impression this was actually a pretty good defence against usb keyloggers that are trivial to install on a public computer. Is that not the case? (Folks just not that concerned about that vector anymore?)

If someone has enough access to a computer to install a keylogger, they probably have more than enough access to just read whatever is being "typed" using the on screen keyboards. Inject javascript, read it out of the browsers memory, whatever.

Of course you could be using such a system to defend against a hardware keylogger, in which case I'd be thinking long and hard, trying to decide who I pissed off.

Edit: Just realised you /were/ referring to a hardware keylogger. My apologies.

Yes, if someone had access to install arbitrary software on your computer they could attempt to get behind any on-screen keyboards... but given the wide variety of them, and how hard it would be to detect one based on its code alone, I doubt anyone would bother.

Software keyloggers log which keys you type (obviously) but some also take a screenshot whenever you click to defeat on-screen keyboards. It sounds like INGDirect's keypad is designed to defeat this attack.

Yup, I assume that's the idea. I can't imagine many consumer banking accounts are hacked via hardware keylogger though. Presumably if you have physical access to a computer, you can usually install software on it anyway. A well positioned webcam could probably see what you're clicking on with the onscreen password prompt as well.

What kind of security by obscurity banks are people using where they have to enter numbers with the mouse to avoid keyloggers and answer to silly questions like my mothers last occupation??!

Any reputable bank will give you a small external card reader with a keypad where you have to insert your smartcard, enter your pin and a punch in the challenge-response code from the website. 2-factor authentication is a solved problem, plus no risk of keyloggers since the device is disconnected from the computer. (Most come with the option of connecting to the computer via usb to save you from manually entering the challenge-response but your pin is always entered on the external keypad.)

Ugh, what a hassle. My bank only required the card reader for potentially harmful things, like transferring money to someone I've never sent money to before. If it asked me to use it every time I logged in then I would change bank.