Full Disclosure mailing list archives
RE: Defeating Citi-Bank Virtual Keyboard Protection
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sat, 6 Aug 2005 03:13:10 +0530
MZ,
What I proposed (and I'm sure I'm not innovative here) went along the
lines of hooking up and intercepting the mouse
click button, and then, at the exact moment of mouse click, capturing the
position of the mouse pointer, and a bitmap
of its nearest surroundings - ideally, before the event is delivered to
the browser window. I just realised there has been a wrong interpretation of my statement which reads ".. is not going to workout here". What I actually meant here is, it won't be advisable to design that way and is comparatively less efficient. Infact if you see the best of worms / keyloggers / spywares are simple, smaller & faster. Now won't that be a heavy job if they start capturing screenshots ?? Sorry for that initial confusion !!
That should work regardless of the method used to shuffle displayed keys,
is very much workable on Windows and under
X11, and shouldn't be particularly resource or bandwidth consuming.
Agreed, but again my answer is same again - "won't that be a heavy job if they start capturing screenshots ??" - DM - -----Original Message----- From: Michal Zalewski [mailto:lcamtuf () dione ids pl] Sent: Saturday, August 06, 2005 2:21 AM To: Debasis Mohanty Cc: full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection On Sat, 6 Aug 2005, Debasis Mohanty wrote:
Read the description section again, perhaps you have missed out the following - . The Virtual Keyboard is dynamic . The sequence in which the numbers appears will change every time, the page is refreshed Hence, desiging something the way that you have proposed is not going to workout here.
Again, I might be wrong (I am not a Citibank customer), but I understand that, when you visit the logon page, you're presented with an on-screen keypad with keys in randomized and possibly constantly changing (dynamic) order, and must enter your PIN or other authentication data by clicking appropriate on-screen keys using your mouse. What I proposed (and I'm sure I'm not innovative here) went along the lines of hooking up and intercepting the mouse click button, and then, at the exact moment of mouse click, capturing the position of the mouse pointer, and a bitmap of its nearest surroundings - ideally, before the event is delivered to the browser window. That should work regardless of the method used to shuffle displayed keys, is very much workable on Windows and under X11, and shouldn't be particularly resource or bandwidth consuming. This is a generalised way of snooping virtual keyboards and similar on-screen mouse-driven input interfaces. Cheers, /mz http://lcamtuf.coredump.cx/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Defeating Citi-Bank Virtual Keyboard Protection, (continued)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Jeremy Bishop (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection fractalg (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Nicob (Aug 08)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bart Lansing (Aug 08)