RE: Defeating Citi-Bank Virtual Keyboard Protection

["Debasis Mohanty" <debasis () hackingspirits com>]

> > Saqib Ali [mailto:docbook.xml () gmail com] wrote:  
> > Virtual keyboards don't help much. 

Seriously !! Have you understood the purpose of the original post?? Well,
saying virtual keyboards don't help much is like saying something as if
someother option will really make it hackproof.. Can you suggest something
really hackproof?? ... Huh !!

Virtual keyboards have defenitely improved the security when compared to
ordinary login systems. However, it requires some improvement. Now incase of
CitiBank, they created lot of hype about it and that somewhat reduces the
fear in end-users against keyloggers. The idea of the original post was to
demonstrate that these concepts are not foolproof and people still needs to
be cautious. 


> > Tools similar to what you have developed have existed for a while now.
See http://www.lostpassword.com/asterisk.htm
> > , it does the same thing as your CitiPassLogger.exe . And it works
regardless of the input method.

I am sure, you haven't gone through the PoC thoroughly. It is clearly
mentioned that the tool is only for demo purpose and is designed to display
the IPIN and the CC number of CitiBank India, however the code can be
modified to retrieve information from any citibank site using the same
concept. (Similarly, the concept is applied to all other sites using the
same concept). 

Now as far as the program asterisk is concerned, what it has to do with
keyloggers. Maybe it is created keeping in mind to retrieve the saved
passwords in the login screens. Infact "asterisk" can only retrieve the
password once you have punched in the pwds and then try to retrieve however,
the CitiPassLogger.exe displays everything in real-time. 

I hope, it is clear now. 


- DM -








 

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Friday, August 12, 2005 9:42 PM
To: Debasis Mohanty
Cc: webappsec () securityfocus com
Subject: Re: Defeating Citi-Bank Virtual Keyboard Protection

Virtual keyboards don't help much. Tools similar to what you have developed
have existed for a while now. See http://www.lostpassword.com/asterisk.htm
, it does the same thing as your CitiPassLogger.exe . And it works
regardless of the input method.


On 8/5/05, Debasis Mohanty <debasis () hackingspirits com> wrote:
> Recently I discovered a method to defeat the much hyped Citi-Bank 
> Virtual Keyboard Protection which the bank claimed that it defends the 
> customers against malicious programs like keyloggers, Trojans and spywares
etc.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.