Bugtraq mailing list archives
Re: Defeating Citibank Virtual Keyboard protection using screenshot method
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Wed, 16 May 2007 22:47:46 +1200
On 5/11/07, Nick FitzGerald <nick () virus-l demon co uk> wrote:
Sure, they're a lot more expensive and a lot more "high-tech" but unless they are doing end-to-end client and server authentication and strong crypto _AND_ have their own input and output devices that cannot be interfaced from the host OS _AND_ are required for verifying (virtually) every step of every transaction (in other words -- if you have any of the real-world implementations of banking OTP cards used anywhere in the world, the answer is "no"), they are effectively no better than the Citi OSK's as they are trivially MiTM'ed via on-client malware.
This actually isn't that hard to do properly and I already see some banks doing it. The key here is to tell the user what's going on an off the band method. In other words, once a user decided to make a transaction, the bank sends a challenge *and* transaction details *somehow* to him. The user has to confirm the transaction by entering the proper challenge. The "somehow" method can vary, but it looks that sending SMS messages is hte most acceptable method today. So, the user gets an SMS message with the challenge code and the transaction details and enters that into his web browser. The attacker behind his MiTM can't do anything - if he changes the transaction before, the user will (hopefully) see it. If he changes the challenge, the transaction will fail. Cheers, Bojan
Current thread:
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Jan Heisterkamp (May 11)
- Re: Re: Defeating Citibank Virtual Keyboard protection using screenshot method yashks (May 09)
- Re: RE: Defeating Citibank Virtual Keyboard protection using screenshot method balazs . zolika (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Rogier Mulhuijzen (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Omar A. Herrera (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Hugo van der Kooij (May 12)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Bojan Zdrnja (May 16)
- Message not available
- Defeating Citibank Virtual Keyboard protection using screenshot method aditya kuppa (May 17)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Bojan Zdrnja (May 17)