These keyboards generate the numbers in random positions, which will vary between user accesses. So even if you can tell which buttons the user used, you are not sure of the correct password.
For example, assuming a dummy password like 021793. The keyboard could display the following options:
The user must use the buttons in this order:
[0 or 4] [2 or 6] , [1 or 5] , [7 or 9] , [7 or 9] , [3 or 8]
You already know what buttons he used this time, but to guess the password on the basis of brute force you have a space of 2 6 = 64 combinations. Remember that the bank will lock the password after a few failed attempts (most banks block with 3).
The next time the user logs in, if you capture the clicks again, you'll have a set of 64 different combinations to try.
So, in theory, this would make the system safer because it would obfuscate the password. In practice this is great for preventing a person looking over your shoulder guess your password. But note that instead of trying to crack the password at brute force, an attacker could simply do a statistical analysis of the buttons used.
In other words: when accessing the page again some time later, we will have another keyboard. We have 64 combinations again, but not all of these combinations are the same as in the previous set. An attacker would have enough guesswork space by analyzing only the intersections.
If we take the photo keyboard and change it:
- The first key for [0 or 6] ;
- The third key for [2 or 4] ;
We will already know in the second client access that the first number of the password is 0, since the first number should be the intersection of sets {0, 4} and {0, 6} . The second password number was also easier to guess for the same reason.
I may have made the guessing of the password seem easy, however it is not trivial to capture the user's screen. The bank page has its mechanisms to prevent you from tracking clicks. In addition, banks usually also require the installation of browser extensions and sometimes external programs to increase security.
The only way to break the security of such a password accurately is by shooting the user with cameras during several different hits. You may be able to get an office security camera if employees in the office use Internet Banking . Or you could use a camera with a very large zoom to shoot a neighbor while he accesses the bank. However, this type of attack is so elaborate that it becomes cinematic.
Plus, all you could get would be to see the user's balance. All banks I know still require other forms of authentication to allow any account movement.