A couple of weeks back, my esteemed bank BCL introduced a new “feature” (read annoyance) to their online banking site. It’s a “virtual keyboard” that sits on the login page and can be used only with a mouse. And it’s utterly stupid
I’m not saying the bank managers are stupid, I’m not saying the person (committee?) who wrote the code is stupid. I’m saying the whole annoying experience is stupid. First, the only added security in that setup is forcing the customer to use the mouse instead of the keyboard therefore circumventing possible any keyloggers that may be installed on the PC.
However, by adding that “feature” they forced people to use a slower method to enter their password which (imho) introduced at least 2 vulnerabilities:
- The password will be visible to anyone overlooking the user entering the password
- The shifting keyboard is very annoying, so users will inevitably pick easier to enter/remember passwords
- The second “pin code” screen is also annoying, and will force most users to write down their pin code on a piece of paper, adding to the risk!
Again IMHO, the risks introduced seem to outweigh the benefits.
PS. I will not post it here, but feel free to email me if you need it.