WebApp Sec mailing list archives
Re: Defeating Citi-Bank Virtual Keyboard Protection
From: Saqib Ali <docbook.xml () gmail com>
Date: Fri, 12 Aug 2005 15:05:23 -0700
Saqib Ali [mailto:docbook.xml () gmail com] wrote: Virtual keyboards don't help much.Seriously !! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is like saying something as if someother option will really make it hackproof.. Can you suggest something really hackproof?? ... Huh !!
Boy I am glad I didn't say "Virtual KB are useless". You would have killed me. :-) But in all fairness, all I said that "they don't help much". Translation: They help, but they are not the holy grail. And I never said that I have the solution to "hackproofing login forms". :-)
Virtual keyboards have defenitely improved the security when compared to ordinary login systems. However, it requires some improvement. Now incase of CitiBank, they created lot of hype about it and that somewhat reduces the fear in end-users against keyloggers. The idea of the original post was to demonstrate that these concepts are not foolproof and people still needs to be cautious.
As you said, Virtual KBs have improved the login system to prevent KB logging using physical methods. I think this is what Citibank is saying as well. They never claimed, using Virtual KB will make the system completely secure.
I am sure, you haven't gone through the PoC thoroughly. It is clearly mentioned that the tool is only for demo purpose and is designed to display the IPIN and the CC number of CitiBank India, however the code can be modified to retrieve information from any citibank site using the same concept. (Similarly, the concept is applied to all other sites using the same concept).
I am sure CitiPassLogger can be modified to include other sites. I never said that it can not be. :-) -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Andrew van der Stock (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 13)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Message not available
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bipin Gautam (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 16)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 16)