Keylogging

Keylogging is a method of capturing your keystrokes, and, in the case of this article, to steal the username and password of your private accounts (e.g. PayPal, bank accounts, Skype accounts, etc.). Keyloggers are software or hardware tools that capture the user’s keystrokes from the keyboard. They can be useful to determine sources of error in computer systems and are sometimes used to measure employee productivity on certain clerical tasks. However, keyloggers are widely available on the internet and can be used by private parties to spy on the computer usage of others; hence stealing users private data. If you use internet cafes when on the road, especially in third world countries, there is a fair chance that there is a keylogger program active on the machine just waiting to snag your online passwords. Even public libraries or wifi hotspots are possibilities. Even your home computer is vulnerable - check out this article.

First things first!

Always try to avoid accessing your important online accounts from public computers (see method #1).
With all the keyloggers that may be stuffed in public computers, they pose a serious security risk to users and there is no surefire way of fooling them - we can only maximize the chances of tricking them.
Hardware keyloggers are relatively easy to spot (see method #2).
Software keyloggers, on the other hand, are much more complex and difficult to deal with. Most of them record keystrokes, mouse events, clipboard activity, etc. The best bet is to make it difficult for the software logger to make sense out of the data it records (see methods #3 - 5).
The most secure method is booting the computer with your own CD bypassing all the software keylogging programs that may be on the computer (method #6).
If you want to be even more safe, use a combination of all the methods.

Use any combination of these methods I've found to minmize the threat from keyloggers:

Method #1

Don't use public computers, try to use private ones. When I stay over someone's home who has internet I use their computer to access my confidential data. Even in third world countries you would be surprised how many people have internet.

Method #2

Check for hardware keyloggers, these are easy to detect. They are devices which are generally attached between the keyboard and the CPU. A manual inspection should be enough in most cases. If you are suspicious just check the back side of the computer. The images in the side bar will give you a better idea. This is not the only kind of hardware keylogger though. There are also hardware keyloggers that can be put inside keyboards, or in other hard-to-detect places. By using on-screen keyboard, you should be able to bypass hardware keyloggers. A free on-screen keyboard that I use is Neo's SafeKeys. The great thing about it is that not only can you install it on your laptop, you can install it on your flash drive.

Method #3

Type in a set of keystrokes designed to confuse the keylogger by making it log some gibberish instead of your valid password. Of course, this is not completely foolproof. Nothing is foolproof on the net. We can only make it harder for the hacker. Here are two related methods to confuse software keyloggers:

Let’s say we have to enter a password ‘jazz’.

Click the password box, type any random key. Select the entered random key with the mouse and type j. So we entered the first letter of the password.
Click the password box, type a random key. Again click and type a random key. Select the last two letters with your mouse and type the next valid key of your password.

Continue in a similar way to finish typing the password. You can choose any number of random characters between your password.

So the keylogger will log something like:
[click]b[click]j[click]g[click]m[click]a[click]v[click] z[click]t[click]c[click]z

Note how we used unwanted mouse clicks so that a mouse click is recorded before the random letters also. You can also experiment entering the password in the reverse order, in fact any order.

This method can be used for entering the username too, since most banks have account numbers as username. If you are suffering from some keylogger phobia, use this technique while typing the url too.

Here is another method related to the previous one - the result will be the same:

Let’s say we have to enter a password ‘jazz’.

Click in the password box, type in the first letter of your password, j
Click in some other box (the browser's address bar or some search bar) and type in some random characters, say 6_ty
Click back in the password box and type in some more of your password, say az
Click in some other box and type in some random characters, say ifd
Continue in a similar way to finish typing the password. You can choose any number of random characters between your password.

So the keylogger will log something like:
[click]j[click]6_ty[click]az[click]ifd[click]z

Note that you can use a combination of this and the previous method.

Method #4

Use two open source programs called Keyform and Keypass. KeyPass is a program that stores all your usernames and passwords in a password protected crypted database so they are entirely safe from others. You double-click the URL of an entry to launch a web site. Once you are there, clicking on an input field and firing off an AutoType sequence with a keyboard shortcut helps you fill in your username and password. In and of itself, this is just a username/password manager or a place to put all this information so you don't forget it. Combine it with KeeForm and you have a powerful tool to foil many keylogging programs.

KeeForm is a popular extension for KeePass that can launch web sites, scan for user name and password fields, and fill in that information for you automatically. It automates the login process for you and is highly configurable. Passwords are entered without any key strokes, Auto-type or "copy and paste" operations bypassing clipboard spies and keyloggers. According to the forum on KeeForm (and other places I've searched), they generally say something like this: "KeePass will not prevent key loggers intercepting your keystrokes, but if used with KeeForm it will. KeeForm uses the COM interface of Internet Explorer to send login details without any keystrokes. Mind you, no secure transaction should be made on a compromised system." Follow these instructions for installation of the most recent version of KeeForm.

This is the primary method we are using on our laptop. Unfortuanately only Keypass is available for use on a flash drive, so in order to use Keypass, you have to have your own laptop.

Method #5

Use KeyScrambler: KeyScrambler encrypts your input at the keyboard driver level as it enters your computer and decrypts it at the destination application, leaving Keyloggers with indecipherable keys to record. Sounds good, but in researching its effectiveness, the critics say that it is theoretically possible for a keylogging program to capture the information before it's encripted at the keyboard driver level or after it's decripted at the destination level. If you go to their site it looks pretty impressive and like George Bush they use fear tactics in trying to scare you into buying their product. They also give some impressive testimonies. There is a free basic version of KeyScrambler and a more complex pay version.

Method #6

Boot up the computer with your own Linux live operating system. Feeling secure? Well, the above methods may not work against the really smart keyloggers. The ones that also take a screenshot when a keystroke or mouse event is detected. There’s is a solution for that too, but it is cumbersome and takes some techie skills. Take a Live CD of any of the Linux distributions. Insert and use (and hope Linux will detect the hardware so you can start using internet; I have read Ubuntu live CD is good.). Check out this guide to making a Linux Live CD. Even if you can successfully access the web from the Live CD, don’t forget to use the above tips to work around the hardware keylogger.