How effective are on-screen keyboards against software keyloggers?
Windows 7 on-screen keyboard to be specific.
They will definitely bypass hardware keyloggers but what about sophisticated software keyloggers?
e.g. On a bank website, is it safer to use windows virtual keyboard or the soft keyboard provided on the webpage itself?
Update
I am not saying that my system is infected.
I am just asking this as a precautionary measure for the cases like when I have to use a PC in cyber cafe.
It is far safer to assume that all functionality in a compromised machine will give you away rather than assuming that only some functionality has been compromised. Once a machine has been rooted, the only way to be 100% sure it's safe again is to wipe and reinstall.
In the case of public computers, I would assume that the machine is compromised and not do anything on that machine that you can't quickly recover from. I certainly wouldn't do any banking on such a machine.
If the system is compromised by a software key logger, then I probably has other functions too like getting text off a web form so watever keyboard you use, the malware is still gonna get it.
If you figure out a way of bypassing even that, the malware could get your password by using a Man in the middle attack. Best thing to do is, find a safe system and boot linux live.
This depends on the kind of keylogger you want to bypass.
If it's a hardware keylogger, i.e. someone broke into your home or office and installed a piece of hardware, the on-screen keyboard will prevent them from reading your password, as there is no signal transmitted from your keyboard.
If you're concerned about software keyloggers, i.e. malicious software, it entirely depends on what functionality was implemented by the attacker. If they just read the keys you press, an on-screen keyboard might help, depending on what part of the OS they attack. If it's not the OS's OSK, but e.g. a Flash program provided by your bank, it is safe from regular key intercepts, but it shouldn't be too difficult for an enterprising programmer to detect the location of clicks and record the nearest few pixels when the user visits a particular bank's website.
If you're already strongly concerned about malware anyway, e.g. accessing your bank website in an unknown and potentially compromised environment, just don't do it.
