How to foil keyloggers

20 June 2007 update: The method described below should be considered out of date and unsafe for use. Use the revised Vesik method instead.

Protecting your security on a home computer is not difficult. If you use a safe browser, scan for viruses and spyware frequently, and remember to scan before opening email attachments and downloaded files, you can feel safe when using your computer to bank, check email, and browse the web.

But what about the times when you need to use a a friend’s computer or a public computer in an internet café, library, or airport? You have no idea if the computer has been kept well and is safe to use. In fact, in many (if not most) of the internet cafés I’ve been to, the computers are visibly convulsing with virus and spyware activity.

For the most part, it would be wise to avoid doing anything other than browsing the web on such public computers. However, sometimes you just have to check your email or bank statement or conduct some other form of business that you’d rather keep private. In those cases, you should take extra precautions, particularly against keyloggers that are capable of recording and later abusing your username and password information.

How keyloggers work

First, I’ll explain how keyloggers work. Keyloggers monitor every keyboard keystroke and mouse click you make and try to ferret out personal and lucrative information such as passwords and Social Insurance Numbers (or Social Security Numbers in the United States). It’s not hard. Consider the following cross-section of keystrokes that a keylogger might capture:

www.google.com (click) ponies (click) white ponies (click) ponies Vancouver Canada (click) www.hotmail.com (click) jenny984@hotmail.com (tab) fido (click) Hi Grandma, thanks for the birthday gift. I hope you and Grandpa are doing really well right now… (click)

In the above set of keystrokes, the user started by doing a Google search for ponies, then logged into hotmail, and started writing a letter to her Grandmother. It’s pretty obvious that her username is “jenny984@hotmail.com” and her password is “fido”. An added bonus is the knowledge that the user probably lives in Vancouver, Canada. Both a human being or computer program looking at this data set would have an equally easy time finding this sensitive information.

The Vesik method

A very clever friend of mine (after whom the method is named) suggested a strategy that would make it difficult for a human or computer looking at the results gathered by a keylogging program to determine what an individual’s password is.

To foil a keylogger, follow these steps:

  1. Enter your username into the appropriate field
  2. Click on the password field, and enter half of your password (for Jenny, this would be “fi”)
  3. Click on the taskbar (the bar, usually on the bottom of your screen, that shows the Windows Start button and all of the windows you have open)
  4. Enter a short string of gibberish, click on the taskbar again, and enter more gibberish (here’s a nice example of gibberish: “gqmk (click) dl55”)
  5. Click on the password field once again, placing your cursor to the right of the half completed field
  6. Complete your password
  7. Click on the taskbar once again and type a little more gibberish, clicking on the taskbar in between gibberish strings
  8. Click “Submit” to submit your username and password to be verified

Now, if there is a keylogger monitoring your keystrokes, it might see something like this:

www.google.com (click) ponies (click) white ponies (click) ponies Vancouver Canada (click) www.hotmail.com (click) jenny984@hotmail.com (tab) fi (click) gqmk (click) dl55 (click) do (click) ap (click) obr5 (click) Hi Grandma, thanks for the birthday gift. I hope you and Grandpa are doing really well right now… (click)

A computer program sifting through this data would probably report that “fi” is the password. Or it could indicate that “gpmk” or “dl55” or “gpmkdl55” or “figpmkdl55doapobr5” is the password. They all look like possible passwords, but none of them is the actual password.

A human looking at the data would have the same problem, but might be able to catch on to the technique being used. Still, he wouldn’t know which string or strings of password-like text make up the real password. Let’s suppose that a human sifts through the data, realizes that the Vesik Method is being used, and decides to try all the possible combinations in order to find the right one. With 6 strings of password-like text (that could be used on their own or in combination with the others), there are just under 2,000 possible passwords.

Because higher security websites (especially online banking websites) will deactivate a user’s ability to login after 5 or so false tries, it is extremely unlikely that your account would be compromised. Websites with fewer security precautions would be easier to crack by entering all 2,000 possibilities, but you have much less to lose in these cases. Check the security policy of each website with which you wish to use this method before logging in.

Also, it’s worth noting that all but the most determined thieves would likely just move on to an easier target – one who failed to disguise his password in any way – rather than bother with your accounts.

An important caveat

If you login to the same website multiple times (or different websites with the same password), a human looking at the results of a keylogger would probably be able to figure out what your real password is by comparing both login attempts. The reason is simple: the password characters you enter will remain the same across both attempts but the gibberish you type in will probably change. If you want to prevent this kind of detective work from having any effect, type the same gibberish each time or only use your password once on the same public computer.

Happy surfing!

Read more about keyloggers

6 Comments »

  1. Comment by Ezra — 22 November 2006 @ 8:30 am

    I’ll have you know that I ran Spybot for the first time in a long time today and it congratulated me for having no adware or malware. My drawbridge is up, my archers are in their parapets and god be damned if I don’t have smoldering hot rocks enveloped in tar and oil to poor down on any intruders that attempt to break into my kingdom.

  2. Comment by Ian Saxon — 22 November 2006 @ 6:46 pm

    Hi Ezra,

    Glad to hear it. And really fine wordplay – I should hire you to invent metaphors for the articles on this site.

    Ian

  3. Comment by bryson — 27 June 2007 @ 3:41 pm

    i got key logged form a image hosting site my old”friend” sent it to me i ran everything i had norton,avg,pc tools,ad-ware and mcafree and there where not able to find the key logger how do i make a key logger like that?

  4. Comment by Ian Saxon — 28 June 2007 @ 2:40 pm

    Bryson, your description of what happened is a little fuzzy. It sounds like you entered your password onto a phishing website. Scanning your own computer does nothing to prevent this particular threat because the threat doesn’t originate on your computer.

    The only prevention is to avoid phishing websites, which requires judgment on your part. Here are a couple ways to avoid phishing websites:

    1. Don’t follow links in instant messaging conversations or emails, especially if they say something like “Dear customer, we need you to follow this link to update your account information”.

    2. Google the name of the website you want to go to instead of typing it into the address bar of your browser. Google will often correct spelling mistakes and guide you toward the legitimate website. If you type in the wrong address into the address bar, you may go to a fraudulent website.

    3. Once you’re at a website where you need to enter account details (say, your bank’s website), follow a few links to see if the website is full and complete. A fraudulent website will probably be designed to look legitimate for the purpose of stealing passwords, but it’s unlikely that the thieves mimic the entire bank website.

    Hope that helps,

    Ian

  5. Comment by some one — 19 September 2008 @ 4:01 am

    have you tried http://kyps.net for loggin in from spyware or keylogger infected computers?

  6. Comment by Ian Saxon — 19 September 2008 @ 1:49 pm

    I haven’t tried it.

    Interesting idea, although I gather it requires the trust of the kyps.net website. What if that website is designed to harvest passwords one types in?

RSS feed for comments on this post. TrackBack URI

Leave a comment