Password is commonly required for enabling access across a network to an application hosted by a service provider. In a web-centric environment, a user of the service is required to enter his password into a textbox in the browser, which is then submitted to the server application using SSL for authentication. Unfortunately, this does not protect the password sufficiently as the client computer is vulnerable to security breach.
Monitoring software present in the client computer can be recording key-presses, mouse-clicks, and screenshots without the user's knowledge. This means that a hacker who has access to the monitoring software can steal the user's password, regardless of whether the password is entered using the keyboard or by clicking on a graphical keypad on the screen.
Publicly accessible computers, like those found in airports or internet cafes, are especially vulnerable to such hacking as users have neither control nor knowledge over what are installed on the computers. It is important, especially for the service provider, to secure client computers to prevent such hacking activity. In addition, other confidential user information, like user ID or account number, are also vulnerable.
Presently, the best technique to thwart such hacking activity is to use scanning software to scan for monitoring software and to detect key and mouse logging activities. The disadvantage of this technique is that the scanning software needs to be installed on the client computer. This may not always be possible as the service provider cannot dictate what is installed on the user's computer, or the user may be using a public terminal and has no permission to install anything. Another disadvantage is that the scanning software may need regular updating to function properly which can be a costly process. Hence, it can be seen that this technique is not a satisfactory solution.
The problem is therefore how to obtain password, or other confidential information, in such a way that is safe from the prying “eyes” of monitoring software.