Protection against Screenshot Keyloggers [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 9 years ago.

Improve this question

I was thinking of creating an on-screen keyboard to protect against keyloggers. The main problem is that I have found that there is a category of keloggers, called screenshot key loggers, which are able to take screenshots of the screen every time the mouse button is clicked.

For this reason, I feel that my approach of creating an on-screen keyboard does not protect against this category of keyloggers. Is there a way of coding the application which does not allow screenshots to be taken, or else alerts the user if these are being taken without his permission?

Edit

I am assuming that only the user is present in the room. Therefore, I am not trying to protect against other users from taking photos with their digital cameras. I only want to protect against screenshot keyloggers.

Answer 1

This is an issue that Trusted Computing can potentially address, but not on any system you'd likely be trying to deploy this for. Beyond screenshots, remember that if a device or piece of code can have local access, screenshots are one way to take that data. Another way would be to take that data passing through memory or other avenues of processing through the system. It's a very hard thing to prevent entirely.

Answer 2

If you are that paranoid so that you cannot trust the computer you are working on, I would highly advise introducing "factor" in the authentication.

"Google Authenticator" is an open-source "two-factor" security system (like a software version of an RSA token). It means a user would have to have it running on their smartphone, but it means if one does NOT have the phone, even if they have successfully sniffed the username and password, they cannot log-in. Google "Google Authenticator".

Other 2-factor methods involve sending one-time login codes to ones' cell phone (which again must be held), using a hardware-token key, or a list of one-time-only passwords.

I actually created an Apache-specific port of this if you want to use it: https://code.google.com/p/google-authenticator-apache-module/