Full Disclosure mailing list archives
RE: Defeating Citi-Bank Virtual Keyboard Protection
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sat, 6 Aug 2005 01:54:47 +0530
Wouldn't that be trivial to snoop on simply by making a trojan / spyware
application that records a section of screen
in the immediate proximity of mouse cursor on every mouse click? It's not
that resource consuming, and easy to
arrange.
Read the description section again, perhaps you have missed out the following - . The Virtual Keyboard is dynamic . The sequence in which the numbers appears will change every time, the page is refreshed Hence, desiging something the way that you have proposed is not going to workout here. Infact, that was the first thing any malicious program writer will think of.
My point is, although I have no practical experience with Citibank's
offering, I see nothing that was meant to be
secure about it - they just bank (no pun intended) on the fact one would
need to target their logon mechanism
specifically, and that generic keyloggers indeed fail to capture this
traffic. I agread with the point that there is nothing much to they can do here to secure it but however claiming that their protection is foolproof against spywares is something I believe is vague. - DM - -----Original Message----- From: Michal Zalewski [mailto:lcamtuf () dione ids pl] Sent: Saturday, August 06, 2005 1:40 AM To: Debasis Mohanty Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection On Sat, 6 Aug 2005, Debasis Mohanty wrote:
Recently I discovered a method to defeat the much hyped Citi-Bank Virtual Keyboard Protection which the bank claimed that it defends the customers against malicious programs like keyloggers, Trojans and spywares etc.
Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to arrange. Probably no programs do that routinely today, of course. My point is, although I have no practical experience with Citibank's offering, I see nothing that was meant to be secure about it - they just bank (no pun intended) on the fact one would need to target their logon mechanism specifically, and that generic keyloggers indeed fail to capture this traffic. This is pretty good.
Criticality: High
Huh? /mz http://lcamtuf.coredump.cx/silence/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Jeremy Bishop (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection fractalg (Aug 05)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
(Thread continues...)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)