Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Defeating Citi-Bank Virtual Keyboard Protection

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 5 Aug 2005 22:50:55 +0200 (CEST)
On Sat, 6 Aug 2005, Debasis Mohanty wrote:


Read the description section again, perhaps you have missed out the
following -
.     The Virtual Keyboard is dynamic
.     The sequence in which the numbers appears will change every time,
the page is refreshed

Hence, desiging something the way that you have proposed is not going to
workout here.


Again, I might be wrong (I am not a Citibank customer), but I understand
that, when you visit the logon page, you're presented with an on-screen
keypad with keys in randomized and possibly constantly changing (dynamic)
order, and must enter your PIN or other authentication data by clicking
appropriate on-screen keys using your mouse.

What I proposed (and I'm sure I'm not innovative here) went along the
lines of hooking up and intercepting the mouse click button, and then, at
the exact moment of mouse click, capturing the position of the mouse
pointer, and a bitmap of its nearest surroundings - ideally, before the
event is delivered to the browser window. That should work regardless of
the method used to shuffle displayed keys, is very much workable on
Windows and under X11, and shouldn't be particularly resource or
bandwidth consuming.

This is a generalised way of snooping virtual keyboards and similar
on-screen mouse-driven input interfaces.

Cheers,
/mz
http://lcamtuf.coredump.cx/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: