Re: Defeating Citi-Bank Virtual Keyboard Protection

[Saqib Ali <docbook.xml () gmail com>]

> > > Saqib Ali [mailto:docbook.xml () gmail com] wrote:
> > > Virtual keyboards don't help much.
> Seriously !! Have you understood the purpose of the original post?? Well,
> saying virtual keyboards don't help much is like saying something as if
> someother option will really make it hackproof.. Can you suggest something
> really hackproof?? ... Huh !!

Boy I am glad I didn't say "Virtual KB are useless". You would have
killed me. :-)
But in all fairness, all I said that "they don't help much".
Translation: They help, but they are not the holy grail. And I never
said that I have the solution to "hackproofing login forms". :-)


> Virtual keyboards have defenitely improved the security when compared to
> ordinary login systems. However, it requires some improvement. Now incase of
> CitiBank, they created lot of hype about it and that somewhat reduces the
> fear in end-users against keyloggers. The idea of the original post was to
> demonstrate that these concepts are not foolproof and people still needs to
> be cautious.

As you said, Virtual KBs have improved the login system to prevent KB
logging using physical methods. I think this is what Citibank is
saying as well. They never claimed, using Virtual KB will make the
system completely secure.

> I am sure, you haven't gone through the PoC thoroughly. It is clearly
> mentioned that the tool is only for demo purpose and is designed to display
> the IPIN and the CC number of CitiBank India, however the code can be
> modified to retrieve information from any citibank site using the same
> concept. (Similarly, the concept is applied to all other sites using the
> same concept).

I am sure CitiPassLogger can be modified to include other sites. I
never said that it can not be. :-)

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.