I was under the impression this was actually a pretty good defence against usb keyloggers that are trivial to install on a public computer. Is that not the case? (Folks just not that concerned about that vector anymore?)

If someone has enough access to a computer to install a keylogger, they probably have more than enough access to just read whatever is being "typed" using the on screen keyboards. Inject javascript, read it out of the browsers memory, whatever.

Of course you could be using such a system to defend against a hardware keylogger, in which case I'd be thinking long and hard, trying to decide who I pissed off.

Edit: Just realised you /were/ referring to a hardware keylogger. My apologies.

Yes, if someone had access to install arbitrary software on your computer they could attempt to get behind any on-screen keyboards... but given the wide variety of them, and how hard it would be to detect one based on its code alone, I doubt anyone would bother.

Software keyloggers log which keys you type (obviously) but some also take a screenshot whenever you click to defeat on-screen keyboards. It sounds like INGDirect's keypad is designed to defeat this attack.

Yup, I assume that's the idea. I can't imagine many consumer banking accounts are hacked via hardware keylogger though. Presumably if you have physical access to a computer, you can usually install software on it anyway. A well positioned webcam could probably see what you're clicking on with the onscreen password prompt as well.