Why virtual keyboards for security are snake oil

Some financial institutions use “virtual keyboards” to authenticate users.

http www sunbelt software com ihs alex virtualkeyboard00123123 small jpg

They are basically useless against today’s threats like Haxdoor. Why? Because certain keyloggers use form grabbing (grabbing POST submissions). And since virtual keyboards do a POST submission, they’re useless against these malware threats. Doh!

And phishing Uber-guru Lance James has done a writeup on it here.