William Allen, Richard Ford, Aldwin Saugere Florida Institute of Technology
download slides (PDF)
One of the largest problems in e-commerce is enabling users to safely submit confidential information to websites. Keystroke loggers and other forms of spyware have made normal text entry insecure, and while encryption techniques can secure network traffic end to end, it is incapable of protecting users when the client nodes is compromised.
Various techniques have been proposed for remediating the threat posed to login information by monitoring of user machines. These include two-factor authentication (such as a one-time use passwords sent to mobile phones) and cryptographic access tokens; however, their acceptance has been limited, as these approaches are neither universal nor convenient.
In this interactive session, we demonstrate an AJAX-based virtual keyboard, eSWAT. eSWAT allows users to log in from an untrusted machine and securely send authentication data to other websites. In our demo, we illustrate how it is possible to generate virtual keyboards "on the fly", and how the data input is difficult to capture using current hardware keyloggers and spyware. Finally, we compare eSWAT with other virtual keyboards, and show how its design is more resilient than other virtual keyboards currently employed in ecommerce, and how it can be modified to withstand targeted attacks.
