Bugtraq mailing list archives
RE: Defeating Citibank Virtual Keyboard protection using screenshot method
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Sat, 12 May 2007 01:46:20 +0200 (CEST)
Sure, they're a lot more expensive and a lot more "high-tech" but unless they are doing end-to-end client and server authentication and strong crypto _AND_ have their own input and output devices that cannot be interfaced from the host OS _AND_ are required for verifying (virtually) every step of every transaction (in other words -- if you have any of the real-world implementations of banking OTP cards used anywhere in the world, the answer is "no"), they are effectively no better than the Citi OSK's as they are trivially MiTM'ed via on-client malware.
In fact the system used by the major Dutch banks is audited rather extensively. The OTP system is based on an external smartcard reader and a smartcard application on the bank card. They have no physical connection so the web interfcae will present you with a challenge and you must use that challeng, your card and your pin to generate the proper response. Then you have to type in this response.
It is a combination of: - What you have (the card with the smartcard application) - What you get (the challenge from the server) - What you know (your pincode)To the best of my knowldge the transaction value is also part of the calculations. So you can not fix the actual amount and let the other parts just pass by.
I would welcome you to explain us how one can do a MITM attack on that. It is many times harder to break into this sort of system then many of the soft targets relying on fixed username+password prompts.
Dutch law requires extensive external audits on these systems. Hugo. -- hvdkooij () vanderkooij org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.)
Current thread:
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method James C. Slora Jr. (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Debasis Mohanty (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Jan Heisterkamp (May 11)
- Re: Re: Defeating Citibank Virtual Keyboard protection using screenshot method yashks (May 09)
- Re: RE: Defeating Citibank Virtual Keyboard protection using screenshot method balazs . zolika (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Rogier Mulhuijzen (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Omar A. Herrera (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Hugo van der Kooij (May 12)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Bojan Zdrnja (May 16)
- Message not available
- Defeating Citibank Virtual Keyboard protection using screenshot method aditya kuppa (May 17)