Browse > Article
http://dx.doi.org/10.13089/JKIISC.2022.32.5.827

Analysis of the Password Leaking in Virtual Keyboard  

Yang, Hee-dong (KAIST Cyber Security Research Center)
Lee, Man-hee (Hannam University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.32, no.5, 2022 , pp. 827-835 More about this Journal
Abstract
In order to use online financial services, user authentication technology is necessary. Password check through keyboard typing is the most common technique. However, since it became known that key stokes on the keyboard can be intercepted easily, many Internet banking services and easy payment services have adopted the virtual keyboard. However, contrary to the expectation that the virtual keyboard will be safe, there is a risk that key strokes on the virtual keyboard can be leaked. In this paper, we analyzed the possibility of password leaking on the virtual keyboard and presented a password leaking method using mouse event hooking and screen capture in PC operating system. In addition, we inspected the possibility of password leak attacks on several famous Korea Internet banking websites and simple payment services, and as a result, we verified that the password input method through the virtual keyboard in the PC operating system is not secure.
Keywords
Virtual Keyboard; Internet Banking; Simple Payment Service; Password Leak;
Citations & Related Records
Times Cited By KSCI : 5  (Citation Analysis)
연도 인용수 순위
1 AhnLab, "[Vol.66] 'Dyre', a malwarethat steals financial information",ASEC Report, https://www.ahnlab.com/kr/site/securityinfo/asec/asecView.do?groupCode=VNI001&seq=23903,July. 2015.
2 Fido Alliance, "How FIDO Works",https://fidoalliance.org/how-fido-works
3 Sang-Nae Cho, Dae-Seon Choi, Seung-Hun Jin and Hyung-HyoLee,"Passwordless Authentication Technology-FIDO", Electronics and telecommunications trends 29(4), pp.101-109, Aug. 2014.
4 Seong-Min Yoo, Seok-Jin Choi, Jun-Hoo Park and Jae-Cheol Ryou,"POSCAL : A Protocol of Service Access Control by Authentication Level", Journal of the Korea Institute of Information Security & Cryptology 28(6), pp. 1509-1522, Dec. 2018.   DOI
5 The Bank of Korea, "Use of Korea Bank Internet Banking Service during 2021," Mar. 2022.
6 The Bank of Korea, "Use of Electronic Payment Service during 2021," Mar. 2022.
7 Kang-Bin Yim and Kwang-Jin Bae, "Analysis of an Intrinsic Vulnerabilityon Keyboard Security", Journal of theKorea Institute of InformationSecurity & Cryptology 18(3), pp.89-95, Jun. 2008
8 Microsoft, "Window App Development- winuser.h header", https://docs.microsoft.com/en-us/windows/win32, 2022.
9 Gettys James, Robert W. Scheifler and Ron Newman, "Xlib: ClanguageX interface (X version 11, release4)" Vol. 29, Silicon Press, 1990.
10 Apple, "API Collection - Quartz EventServices", https://developer.apple.com/documentation/coregraphics/quartz_event_services, 2022.
11 Jong-Hyeok Lee, "Implementation of anti-screen capture modules forprivacy protection", Journal of the Korea Institute of Information and Communication Engineering 18(1), pp.91-96, Jan. 2014.   DOI
12 Manu Kumar, Tal Garfinkel, Dan Boneh and Terry Winograd. "Reducing shoulder-surfing by using gaze-based password entry.", SOUPS'07:Proceedings of the 3rd symposiumon Usable privacy and security, pp.13-19. ACM, July. 2007.
13 Bobur Shakirov, Hye-jinKim,Kyung-Hee and Dae-Hun Nyang,"Analysis on Vulnerability of Password Entry Using Virtual Onscreen Keyboard", Journal of theKorea Institute of InformationSecurity & Cryptology 26(4), pp. 857-869, Aug. 2016.   DOI
14 Tea-Nam Cho and Sook-Hee Choi,"Vulnerabilities and Countermeasures of Dynamic Virtual Keyboardin Android Banking Apps", KIPSTransactions on Computer and Communication Systems 8(1), pp. 9-16, Jan. 2019
15 Sung-Hoon Lee, Seung-Hyn Kim, Eui-Yeob Jeong, Dae-Seon Choi and Seung-Hun Jin, "An Attack of Defeating Keyboard Encryption Module using Javascript Manipulation in Korean Internet Banking", Journal of the Korea Institute of Information Security & Cryptology 25(4), pp. 941-950, Aug. 2015.   DOI
16 AhnLab, "Snake Keylogger Being Distributed via Spam E-mails", https://asec.ahnlab.com/en/22074, April, 2021.
17 Sung-Hwan Kim, Min-Su Park and Seung-Joo Kim, "Shoulder Surfing Attack Modeling and Security Analysis on Commercial Keypad Schemes", Journal of the Korea Institute of Information Security & Cryptology 24(6), pp. 1159-1174, Dec. 2014.   DOI