Bugtraq mailing list archives
Re: Defeating Citibank Virtual Keyboard protection using screenshot method
From: Eli Dart <dart () es net>
Date: Thu, 10 May 2007 10:25:19 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [snip]
That is the point "Int3" was reiterating. If the problem Citi's OSK is supposed to fix is actually that the bad guys already have, or can more or less easily get, arbitrary code onto the client machine, then changing the way the client user interacts with the machine does not solve the problem -- it simply changes the form of data capture the bad guys' arbitrary code has to perform.
I think it's worth considering credit cards for a minute.
There is credit card fraud. It costs big financial institutions lots
of money every year. Those institutions spend lots of money on
preventing credit card fraud. The cost of fraud and the money spent on
fraud prevention, in sum, approximate a minimum cost for the financial
institutions (at least, that's their goal :) Yes, more fraud could be
prevented, but at a higher aggregate cost (note that part of the cost
might be lost revenue due to customer flight from onerous anti-fraud
measures). Financial institutions put a lot of work into finding that
minimum.
There will always be online banking fraud, or at least we will have
online banking fraud until customers' computers, the bank's computers,
and the networks in between can be fully trusted (which is
approximately never unless we change computing and communications
paradigms). It is my guess that the solutions deployed by the banks
will try to achieve the aggregate minimum cost for online banking fraud
in the same way that they try to achieve aggregate minimum cost for
credit card fraud.
The reason I say this is not to discuss the particular issues with
Citi's OSK. I say this to point out that the people holding out for a
"perfect" solution that prevents 100% of online banking fraud are being
unrealistic. If Citi's OSK reduces real-world fraud by a significant
margin, it's a big win for Citi and their customers, even if it has flaws.
--eli
- --
Eli Dart Office: (510) 486-5629
ESnet Network Engineering Group Fax: (510) 486-6712
Lawrence Berkeley National Laboratory
PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFGQ1V/LTFEeF+CsrMRAp9FAKCMDZ4v4B4NntqY8a2f04uHb4MGtQCgiASy
+JIdYo0idRqOo+MKHm3E7tA=
=z6JK
-----END PGP SIGNATURE-----
Current thread:
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- Message not available
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Jim Harrison (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Gadi Evron (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Jim Harrison (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Gadi Evron (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method David Gillett (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Florian Weimer (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Ansgar -59cobalt- Wiechers (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method James C. Slora Jr. (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Debasis Mohanty (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Eli Dart (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Omar A. Herrera (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Hugo van der Kooij (May 12)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)