Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32451
Keyloggers Prevention with Time-Sensitive Obfuscation

Authors: Chien-Wei Hung, Fu-Hau Hsu, Chuan-Sheng Wang, Chia-Hao Lee


Nowadays, the abuse of keyloggers is one of the most widespread approaches to steal sensitive information. In this paper, we propose an On-Screen Prompts Approach to Keyloggers (OSPAK) and its analysis, which is installed in public computers. OSPAK utilizes a canvas to cue users when their keystrokes are going to be logged or ignored by OSPAK. This approach can protect computers against recoding sensitive inputs, which obfuscates keyloggers with letters inserted among users' keystrokes. It adds a canvas below each password field in a webpage and consists of three parts: two background areas, a hit area and a moving foreground object. Letters at different valid time intervals are combined in accordance with their time interval orders, and valid time intervals are interleaved with invalid time intervals. It utilizes animation to visualize valid time intervals and invalid time intervals, which can be integrated in a webpage as a browser extension. We have tested it against a series of known keyloggers and also performed a study with 95 users to evaluate how easily the tool is used. Experimental results made by volunteers show that OSPAK is a simple approach.

Keywords: Authentication, computer security, keylogger, privacy, information leakage.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 647


[1] Symantec, Symantec Internet Security Threat Report: Trends for 2010, vol. 16, Symantec, 201141.
[2] BSI WARNING, "Questions and answers about identity theft,"
[3] C.-W. Hung, F.-H. Hsu, S.-J. Chen, C.K. Tso, Y.-L. Hwang, P.-C. Lin, and L.-P. Hsu, A QTE-based Solution to Keylogger Attacks, The Sixth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2012), Rome, Italy, August 19 - 24, 2012.
[4] Jelsoft Enterprises Ltd, "What password-length do you use on most websites?"
[5] FIDO Alliance - Open Authentication Standards More Secure than Passwords,
[6] Bundesamt fuer Sicherheit in der informationstechnik. Technical Guideline TR-03112-1 eCard-API-Framework - Overview. Version 1.1.5 draft, 7. April 2015
[7] B. Pfitzmann, J. Riordan, Christian Stüble, M. Waidner, A. Weber: The PERSEUS System Architecture; IBM Technical Report RZ 3335 (\#93381), IBM Research Division, Zurich Laboratory, 2001.