RE: Defeating Citi-Bank Virtual Keyboard Protection

["Debasis Mohanty" <debasis () hackingspirits com>]

Hi Andrew,  

> > Debasis, please do not attack other posters here. It's not warranted. We
can do better than that.  

Well may be I was bit scarcastic but I never do that without a reason.
However, I found the replies to the CitiBank post bit vague. It will be
appreciated if the replies point towards certain issues / solution related
to the original post instead of talking something which is no way related to
the topic. 

- D

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj () greebo net] 
Sent: Saturday, August 13, 2005 7:54 AM
To: Debasis Mohanty
Cc: webappsec () securityfocus com
Subject: Re: Defeating Citi-Bank Virtual Keyboard Protection

Hi there,

This is part my opinion, and part an list administrative warning.

First the list administrative warning - Debasis, please do not attack other
posters here. It's not warranted. We can do better than that.  
If I see more of the same, I will not be approving such posts.

Secondly, my opinion on this topic...

Regardless of the security bonus or negatives of movable keyboards, they are
not accessible, and thus violate most organizations' legal mandate to be
accessible. Very few organizations are exempt from disability laws, and you
know if you are. You should not implement them unless you have a Plan B
which does not discriminate against disabled users in any fashion, and does
not create a weaker security path, for that is the path the attackers will
use.

On top of that, normal every day users *hate* and *despise* them. A bank I
worked for in the past lost at least x0,000 customers to other banks which
did not have them. This cost them millions (possibly hundreds of millions)
of actual loss due to poor usability. AFAIK, they have not recovered these
customers. The business people I spoke with there are terrified of
implementing anything which may now lose them customers in the same way.

Remember, user centric design is a key to good security. Ignore the users at
your peril.

thanks,
Andrew

On 13/08/2005, at 5:41 AM, Debasis Mohanty wrote:

> > > Saqib Ali [mailto:docbook.xml () gmail com] wrote:
> > > Virtual keyboards don't help much.
>
> Seriously !! Have you understood the purpose of the original post??  
> Well,
> saying virtual keyboards don't help much is like saying something as 
> if someother option will really make it hackproof.. Can you suggest 
> something really hackproof?? ... Huh !!
>
> Virtual keyboards have defenitely improved the security when compared 
> to ordinary login systems. However, it requires some improvement. Now 
> incase of CitiBank, they created lot of hype about it and that 
> somewhat reduces the fear in end-users against keyloggers. The idea of 
> the original post was to demonstrate that these concepts are not 
> foolproof and people still needs to be cautious.