Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Defeating Citi-Bank Virtual Keyboard Protection

From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sat, 6 Aug 2005 04:05:30 +0530
Sweet and Simple - This is how this program works. 

A brief on the algo~m is given below - 

Step1: Enumerate all the IE windows and look for the one with CitiBank Login
screen (This step is invoked when an IE is opened and a partucular URL is
requested)

Step2: If found then Create a HTML object

Step3: Set the objEliment to 46 (For Credit Card No) and 61 (for IPIN) [Thes
numbers are specific to CitiIndia Login page]   Note: However, this can be
modifed to work universally for Citi-UK and others

Step: Retrieve value from those elements 

End

That's all about the program logic. This runs very fast and hardly eats
memory ;)

Will possible update the source code sometime ... Keep watching !!

- DM -

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of root
Sent: Saturday, August 06, 2005 5:57 PM
To: Peter Ferrie
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard
Protection

Peter Ferrie wrote:




 


Recently I discovered a method to defeat the much hyped Citi-Bank 
Virtual Keyboard Protection which the bank claimed that it defends 
the customers against malicious programs like keyloggers, Trojans and 
spywares etc.
     


Wouldn't that be trivial to snoop on simply by making a trojan / 
spyware application that records a section of screen in the immediate 
proximity of mouse cursor on every mouse click? It's not that resource 
consuming, and easy to arrange.
   



Something similar was done by variants of the W32/Dumaru family last year.
That was an attack against the e-Gold keypad.
You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


 


This has already done in 1997 in 'proof of concept' form to do the screen
capture process, when 2 Australian banks launched on-screen keypads.
I understand the demo took an image of around 10 pixel +- th mouse click
position.

Nothing terribly new, concept-wise.

Lyal
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: