Do you bank online? How are you asked for your secret code? Three randomly placed digits of it, hmm? The reason for the randomness is that any malicious keylogging software can’t see your screen, just your keyboard: so even if it logged every time you banked online, the fraudster it reported back to could never guess the order of the numbers in your secret code and hence the code would be useless.
A few banks now ask you for the same three digits, if you guess wrongly. Their idea is that to do otherwise, and just ask for a different three random digits, would make the site look like a phishing site, which is debatable. But by asking repeatedly for the same digits, the banks immediately provide keyloggers with a method of cracking into your account. Every time you get your login wrong once, keylogging software can attempt an automated login to your account in between your two attempts, making a note of the HTML which gives them the position of your numbers. It can then wait for you to get the code right, and it immediately has three of your numbers and their positions.
After around four or five iterations of incorrect-login/keylogger-login/correct-login, the software has pretty much your entire code and can siphon everything out of your accounts. The iterations may be picked up by stochastic anti-fraud technologies at the bank; they might not, of course.
More detail is available in a paper recently published in Computers & Security (preprint). From the URL of the preprint, the customers of one particular bank might want check it out.
(Hat tip to my father-in-law.)
