Full Disclosure mailing list archives
RE: Defeating Citi-Bank Virtual Keyboard Protection
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sat, 6 Aug 2005 04:05:30 +0530
Sweet and Simple - This is how this program works. A brief on the algo~m is given below - Step1: Enumerate all the IE windows and look for the one with CitiBank Login screen (This step is invoked when an IE is opened and a partucular URL is requested) Step2: If found then Create a HTML object Step3: Set the objEliment to 46 (For Credit Card No) and 61 (for IPIN) [Thes numbers are specific to CitiIndia Login page] Note: However, this can be modifed to work universally for Citi-UK and others Step: Retrieve value from those elements End That's all about the program logic. This runs very fast and hardly eats memory ;) Will possible update the source code sometime ... Keep watching !! - DM - -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of root Sent: Saturday, August 06, 2005 5:57 PM To: Peter Ferrie Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie wrote:
Recently I discovered a method to defeat the much hyped Citi-Bank Virtual Keyboard Protection which the bank claimed that it defends the customers against malicious programs like keyloggers, Trojans and spywares etc.Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to arrange.Something similar was done by variants of the W32/Dumaru family last year. That was an attack against the e-Gold keypad. You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
This has already done in 1997 in 'proof of concept' form to do the screen capture process, when 2 Australian banks launched on-screen keypads. I understand the demo took an image of around 10 pixel +- th mouse click position. Nothing terribly new, concept-wise. Lyal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Jeremy Bishop (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection fractalg (Aug 05)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Nicob (Aug 08)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bart Lansing (Aug 08)