Bugtraq mailing list archives
Re: Defeating Citibank Virtual Keyboard protection using screenshot method
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Fri, 18 May 2007 09:13:34 +1200
Aditya, On 5/18/07, aditya kuppa <aditya1010 () gmail com> wrote:
How about this Trojan ;) http://www.hispasec.com/laboratorio/troyano_video_en.htm looks great method to get the Password if the inputs are scrambled,rotated randomly after each entry etc. Combination of trojan like this +a simple keylogger +a MITM can defeat all possible authentication mechanism Multi Factor,channel authentications like OTP,SMS based logging etc
Cute trojan, however, it cannot defeat an out of band challenge such as SMS, unless it's not properly implemented or the attacker has under control much more (in which case he doesn't really need to defeat this at all). The idea of the out of band challenge is that the user (the victim) will receive an SMS message which will state exactly what's happening, together with the authorization code. The code has to be unique and the bank has to calculate the code depending on the transaction and some secret (an MD5 hash would be enough). An example of such an SMS message would be: "You are about to transfer $100 to account number 12345678. Your authorization code is: 9876543". Now, the user has to enter this on the bank web site to complete the transaction. If he doesn't do it in a certain time interval the transaction is denied. If the authorization code is not correct, the transaction is denied. If the attacker changes anything through the MiTM, the user will see it in the SMS message. If the attacker captures user's login credentials and try to do this later (when the user is offline), the user would receive the SMS message (which would hopefully alert him) and the attacker would have to guess the authorization code to complete the transaction (the bank can implement a lockout, for example, if 3 incorrect authorization codes have been entered). As you can see, this defeats all attacks. The attacker would have to hack the SMS gateway/Telco in order to modify SMS messages sent which is almost impossible or impractical. Cheers, Bojan
Current thread:
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Bojan Zdrnja (May 16)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Reversemode (May 11)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Paul Foote (May 14)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method imipak (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Rogier Mulhuijzen (May 16)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method sethb (May 17)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method mailbox () martinelli com (May 17)
- Message not available
- Defeating Citibank Virtual Keyboard protection using screenshot method aditya kuppa (May 17)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Bojan Zdrnja (May 17)
- Message not available
- Re: Re: Defeating Citibank Virtual Keyboard protection using screenshot method balazs . zolika (May 18)