back to article Japanese password protector floods screen with hoax cursors

Japanese boffins have demonstrated a rather nifty way of preventing online password theft by screen capture and shoulder surfing – flood the screen with a barrage of dummy cursors. Researchers at the government backed Japan Science and Technology (JST) Agency showed off the rather unusual approach to preventing fraud to local …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Pretty frickin stupid...

    I can trust the government funded research to come with a joke of solution like this. (DISCLAIMER: I live in Japan.)

  2. Charles 9

    Easy to defeat.

    Since they HAVE to know when the actual click takes place, and since click events can be recorded (macro recorders use this function), I suspect screen reader malware will just wait for actual clicks and then attach EXIF data to the pictures that happens to contain the coordinates of the actual mouse cursor at the point of the click. As for the over-the-shoulder observer, a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one.

    1. Zilla
      WTF?

      Re: Easy to defeat.

      This is about stopping outside observers from seeing which keys on a software keyboard are being pressed.

      I don't think you have a clue what you are talking about.

      1. Mako

        Re: Easy to defeat.

        I don't know whether he knows what he's talking about or not in general, but for what it's worth this bit of his post makes perfect sense to me;

        " a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one."

        I haven't seen the system in action to be fair, but even if they've programmed it to hesitate, move at varying speeds and make occasional "mistakes", I think it's likely that an observant watcher could figure out which was the human-controlled cursor. But only because it's so difficult to convincingly simulate randomness.

        1. G.H.

          Re: Easy to defeat.

          I imagine deriving dummy cursor movement from the real cursor would be a good way to make them harder to distinguish from eachother.

          One problem would maybe be that the real cursor will never leave the screen while the dummy cursors seem to come and go.

          1. Charles 9

            Re: Easy to defeat.

            Doing that runs the risk of a false negative because convincing-enough fake cursors will start to foll the user and result in mistakes. Put it this way. Since the user has to be able to distinguish the real cursor from the fakes. Anything the user does can be observed by a suitably-trained over-the-shoulder observer. They can observer different motions of the cursors, catch the user's mouse movements out of the corner of the eye, and so on.

            1. I like noodles

              Re: Easy to defeat.

              I think you'd have to try it to know how easy it is to defeat or otherwise. I doubt anyone here has done so.

              As for real-world practicality? I reckon it would make a good game on "The Cube"

              1. Destroy All Monsters Silver badge
                FAIL

                Re: Easy to defeat.

                "a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one"

                1) Read not-too-well explained stuff with no accompanying pics on El Reg

                2) Run to the pulpit

                3) Declare to world and dog that it won't work, make peremptory statements and a clown of yourself

                FAIL icon doesn't begin to describe the situation

                1. Tim Parker

                  Re: Easy to defeat.

                  1) Read not-too-well explained stuff with no accompanying pics on El Reg

                  Alas it's worse than that - although there's not a picture there is a link to a video demonstrating it.

            2. Anonymous Coward
              Anonymous Coward

              Re: Easy to defeat.

              >Doing that runs the risk of a false negative because convincing-enough fake cursors will start to foll the user and result in mistakes. Put it this way. Since the user has to be able to distinguish the real cursor from the fakes.

              The user distinguishes the real cursor through feedback from their mouse movements. In other words the user knows which cursor is theirs because they can directly see the result of a mouse movement. The over shoulder observer does not have the benefit of being able to observe both the mouse movement and the cursor movement since your eyes and cognitive processes can not focus on both areas at the same time.

              Only the centre bit of the eye (called the fovea) has a high enough resolution to see enough detail. Move as little as 20 degrees from this sight line and your visual acuity has dropped by 90%.

        2. Tim Parker

          Re: Easy to defeat.

          I don't know whether he knows what he's talking about or not in general, but for what it's worth this bit of his post makes perfect sense to me;

          " a little training should enable someone to distinguish the random motion of the fake cursors from the more-directed motion of the real one."

          I think that is pure speculation rather than anything else... unless the poster is an expert in a relevant field (in which case their more detailed input would actually be appreciated).

          I haven't seen the system in action to be fair, but even if they've programmed it to hesitate, move at varying speeds and make occasional "mistakes", I think it's likely that an observant watcher could figure out which was the human-controlled cursor. But only because it's so difficult to convincingly simulate randomness.

          Why don't you go and look at the video and listen to what the guy says... it's not detailed you'll probably get a better idea of what they're talking about that just using your imagination.

          1. Pet Peeve
            Boffin

            Not speculation

            Stay with me on this...

            The Adler Planetarium had this thing where the audience had a button on each armrest, so the audience could "steer" some of the presentation (it was less dumb than it sounded). Before the show, they had a display up that had a little square for each seat (arranged in a grid instead of the circular setup of the room, so it wasn't immediately apparent which was your square). When you pushed the left button, the square turned red, and green for the right.

            It took a few minutes, but even with a packed house and a bunch of overcaffenated kids pushing the buttons constantly, you could figure out which one was yours, by just watching the screen and watching for your button pattern.

            Since you have even more control over the cursor, I think this will work. If the other cursors are doing apparently purposeful stuff (say, by recording previous paths to clicked buttons), it should be hard for a shoulder surfer to do the same thing, since watching the screen and tracking the mouse is easy for the user (since the mouse is in their hand), but hard for them.

      2. Anonymous Coward
        Anonymous Coward

        @Zilla (Re: Easy to defeat.)

        I watched the demonstration video. I could easily tell which of the cursors was under human control. (It moved less smoothly.) This could be overcome by making the fake cursor movements exact copies of the real cursor movements, but with displaced coordinates and different directions. Unfortunately, it would then be almost impossible for the user to tell which was the real cursor. A better solution would be to artificially smooth the movements of the real cursor so that it better matched the movements of the fake cursor.

        Needs more work.

  3. Grifter

    Did the research include reading Cryptonomicon by Neal Stephenson?

    1. Destroy All Monsters Silver badge

      But there the whole screen was noised up, right?

      1. Michael Wojcik Silver badge

        But [in Cryptonomicon] the whole screen was noised up, right?

        Right. The point of the exercise in Cryptonomicon was to make it difficult for an OTS observer to track the real work being done by filling the screen with unrelated activity. The user has expectations about the results of his or her actions - pressing this key will cause this letter to appear in this window - which provide the additional information needed to distinguish noise from signal.

        Oculis Labs offers software - which I've never tried - that implements another variation on this theme. It uses a laptop's webcam to track the user's gaze (using standard eye-tracking techniques). Any text the user isn't currently looking at is garbled. According to some stories I've seen on this technique - and again I've never tried it myself, or looked into the actual research - it's very successful at prevent OTS reading and the like.

  4. Elmer Phud

    Back in the days . . .

    . . . . of terminals we'd just change the cursor colour of other people's terminals -- the people that never learned the four-key combination to get into set-up.

  5. Anonymous Coward 15
    WTF?

    Who's entering passwords on a software keyboard with a mouse?

    I've either got a keyboard or a touchscreen, depending on the device.

    1. Tim Parker

      Re: Who's entering passwords on a software keyboard with a mouse?

      People trying to avoid key-loggers ? (whether this is effective given you can record mouse clicks, and use with other data, is another matter of course)

    2. Anonymous Coward
      Anonymous Coward

      Re: Who's entering passwords on a software keyboard with a mouse?

      My online bank presents me with a software screen in which I need to input my password using the mouse.

      What's even better is that the location of the keys on the soft keyboard is always randomly generated when it is displayed so my hand/mouse motion to enter the password changes every time.

    3. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: Who's entering passwords on a software keyboard with a mouse?

      how about just keepass buffer and mouse? (I think I finally figured out the secret to this argument stuff)

  6. M Gale

    Genius.

    And like many genius ideas, it leaves me slapping my forehead and going "that's just so simple, WHY didn't I think of it?"

  7. Anonymous Coward
    Anonymous Coward

    remove noise = direct shizzles

    Might work good with PHYSICAL MIRRORS if you were PHYSICALLY THERE.

    Might work great in Hollywood, but in reality, it sux, use keypass instead. ;)

    1. This post has been deleted by its author

    2. Tim Parker

      Re: remove noise = direct shizzles

      "Might work great in Hollywood, but in reality, it sux, use keypass instead. ;)"

      I think you've actually managed to completely miss the point of this again - this is not being touted for use when you can copy a password/phrase into a text field or similar widget is it ? How can you use Keypass with a 3rd party on-screen keyboard ? Keypass is very nice, don't get me wrong, but it is not suitable where on-screen interaction with some random 3rd party on-screen verification scheme is required - something you may not have any option to avoid (whether the 3rd party should allow alternative verfication procedures is another debate).

      As for 'it sux' - why don't you explain why you think it does.

      Also on one specific note, last time I looked, Keypass required a GDI+, .Net 2.0 or Mono compatible environment, not sure if that is still the case though. Of course that doesn't preclude using similar software, for similar needs, in deployments where that environment is not available - but worth a thought.

  8. Dan 55 Silver badge
    Mushroom

    I'm unsubscribing from your mailing list

    A cursor is not a pointer. Cursor is for keyboard, pointer is for mouse. Anna Leach goes and standards slip the very next day.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm unsubscribing from your mailing list

      I thought a cursor was for CONSOLE a pointer is a LaSER

    2. Anonymous Coward
      Coat

      Re: I'm unsubscribing from your mailing list

      I thought the cursor was the person sitting in front of the computer swearing at the wrong mouse pointer.

    3. Mostly_Harmless Silver badge
      Holmes

      Re: I'm unsubscribing from your mailing list

      Nope - the thing used to show the position of a mouse on screen is a cursor (which is why they're stored in .cur files in the cursors directory under windows

    4. Kubla Cant

      Re: I'm unsubscribing from your mailing list

      The mouse pointer is called a cursor in many GUI APIs. In CSS, a pointer is a specific style of cursor, as in "cursor: pointer" (alternatives are things like "wait" and "crosshair").

      Actually, of course, a cursor is the see-through thing on a slide-rule.

  9. J.G.Harston Silver badge

    Do you actually mean *pointer*? A cursor is a flashing or steady underline, viz: _ used for text entry. The thing on the screen that follows mouse movements is a *pointer*.

    http://mdfs.net/Info/Comp/Mouse/ccpm.gif

  10. David 39
    Trollface

    Meh

    To foil over the shoulder lookers when I'm entering passwords using my mouse I simply turn off the screen. Saves energy too thus reducing global warming. Using this offset I can let another cow fart as much as it wants.

    1. NukEvil
      Thumb Down

      Re: Meh

      If you turn the screen off, then how are you able to type here?

  11. Longrod_von_Hugendong
    Devil

    By the time you have messed about...

    Stick a gun the users head outside and ask for the password.

    No point in bringing a knife to a gun fight.

  12. Stevie

    Bah!

    DISCLAIMER: I live somewhere else but I haven't seen the system in action to be fair.

    I will therefore assume it is rubbish and loudly DECLAIM WHY, without providing any sort of evidence.

    That is all.

This topic is closed for new posts.

Other stories you might like