Re: Defeating Citi-Bank Virtual Keyboard Protection

[AsTriXs <astrixs () gmail com>]

Debasis Bhai,

This is a good PoC.

I feel Citi-Bank Virtual Keyboard Protection can also be defeated by
existing key loggers and spyware programs like iOPUS STARR, spy budy
and others which take a screen snapshots at pre configured intervals.
If the screen capture can be configured to every instance of mouse
click, one can easily determine the IPIN used.

Let me know what you think?

-- 
[AsTriXs]



On 8/6/05, Debasis Mohanty <debasis () hackingspirits com> wrote:
> Recently I discovered a method to defeat the much hyped Citi-Bank Virtual
> Keyboard Protection which the bank claimed that it defends the customers
> against malicious programs like keyloggers, Trojans and spywares etc.
>
> Find the details below -
>
> Description:
> Early this year, Citi-Bank introduced the concept of Virtual Keyboard to
> defend against malicious programs like keyloggers, Trojans and spywares etc.
> The bank claimed that this concept would improve the security of those using
> its Internet banking facilities. Various features of this Virtual Keyboard
> are -
>
> .       The Virtual Keyboard is dynamic
> .       The sequence in which the numbers appears will change every time,
> the page is refreshed
> .       The Virtual Keyboard protects you from malicious 'Spy Ware' and
> 'Trojan Programs' designed to capture your keystrokes
> .       The Virtual Keyboard eliminates this risk and makes your Citibank
> login that much safer and provides for a secure online banking experience
>
> However, the Virtual Keyboard concept can be easily defeated by using Win32
> APIs to access HTML documents. Refer the PoC (Proof of Concept) section for
> more details.
>
> Criticality: High
>
> Platform: Windows XP (SP2) + IE 6.0
>
> Note: This PoC is applied only for Internet Explorer users
>
> Proof of Concept:
> Here I shall demonstrate how easily the Virtual Keyboard can be defeated by
> a simple program. I created a small program in VB 6.0 (called
> CitiPassLogger.exe) which can record not only the 16-Digit credit card but
> also the IPIN even if they are entered using the virtual keyboard.
>
> Currently, this program has been developed to log only the IPIN details of
> Citi-Bank India but the code can be modified to make it work universally for
> all the Citi-Bank sites with Virtual Keyboard login.
>
> As per my knowledge, there are no such keyloggers or spywares which uses any
> technique to defeat virtual keyboards. However, the technique that I am
> going to discuss here can be used by malicious program writers to write next
> generation viruses / worms to defeat such virtual keyboard protections.
> Hence, I hope people who are using Virtual Keybords shouldn't stay very
> over-confident.
>
> Download the complete PoC and the tool from the following link:
> http://www.hackingspirits.com/vuln-rnd/defeat-citibank-vk.zip
>
> For more vulnerabilities, visit
> http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
>
>
> History:
> 3rd August, 2005: Vendor was contacted but no response till today.
>
>
> Cheers,
> Debasis Mohanty (a.k.a Tr0y)
> www.hackingspirits.com


-- 
[AsTriXs n30]
[zooStatioN-zeBra]