eSWAT: a spyware-resistant virtual keyboard presented at Virus Bulletin 2007

by William Allen (Florida institute of technology),


Summary : "One of the largest problems in e-commerce is enabling users to safely submit confidential information to websites.
Keystroke loggers and other forms of spyware have made normal text entry insecure, and while encryption techniques can
secure network traffic end to end, it is incapable of protecting users when the client nodes is compromised.
Various techniques have been proposed for remediating the threat posed to login information by monitoring of user
machines. These include two-factor authentication (such as a one-time use passwords sent to mobile phones) and
cryptographic access tokens; however, their acceptance has been limited, as these approaches are neither universal
nor convenient.
In this interactive session, we demonstrate an AJAX-based virtual keyboard, eSWAT. eSWAT allows users to log in from
an untrusted machine and securely send authentication data to other websites. In our demo, we illustrate how it is
possible to generate virtual keyboards 'on the fly', and how the data input is difficult to capture using current
hardware keyloggers and spyware. Finally, we compare eSWAT with other virtual keyboards, and show how its design is
more resilient than other virtual keyboards currently employed in ecommerce, and how it can be modified to withstand
targeted attacks."