WebApp Sec mailing list archives
Re: Defeating Citi-Bank Virtual Keyboard Protection
From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 13 Aug 2005 12:24:28 +1000
Hi there, This is part my opinion, and part an list administrative warning.First the list administrative warning - Debasis, please do not attack other posters here. It's not warranted. We can do better than that. If I see more of the same, I will not be approving such posts.
Secondly, my opinion on this topic...Regardless of the security bonus or negatives of movable keyboards, they are not accessible, and thus violate most organizations' legal mandate to be accessible. Very few organizations are exempt from disability laws, and you know if you are. You should not implement them unless you have a Plan B which does not discriminate against disabled users in any fashion, and does not create a weaker security path, for that is the path the attackers will use.
On top of that, normal every day users *hate* and *despise* them. A bank I worked for in the past lost at least x0,000 customers to other banks which did not have them. This cost them millions (possibly hundreds of millions) of actual loss due to poor usability. AFAIK, they have not recovered these customers. The business people I spoke with there are terrified of implementing anything which may now lose them customers in the same way.
Remember, user centric design is a key to good security. Ignore the users at your peril.
thanks, Andrew On 13/08/2005, at 5:41 AM, Debasis Mohanty wrote:
Saqib Ali [mailto:docbook.xml () gmail com] wrote: Virtual keyboards don't help much.Seriously !! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is like saying something as if someother option will really make it hackproof.. Can you suggest somethingreally hackproof?? ... Huh !!Virtual keyboards have defenitely improved the security when compared to ordinary login systems. However, it requires some improvement. Now incase of CitiBank, they created lot of hype about it and that somewhat reduces the fear in end-users against keyloggers. The idea of the original post was to demonstrate that these concepts are not foolproof and people still needs tobe cautious.
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Andrew van der Stock (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 13)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Message not available
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bipin Gautam (Aug 15)