Some financial institutions use “virtual keyboards” to authenticate users.
They are basically useless against today’s threats like Haxdoor. Why? Because certain keyloggers use form grabbing (grabbing POST submissions). And since virtual keyboards do a POST submission, they’re useless against these malware threats. Doh!
And phishing Uber-guru Lance James has done a writeup on it here.
Alex Eckelberry