writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage."
I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?