WebApp Sec mailing list archives

Re: Citi-Bank Virtual Keyboard (is useless)

From: intel96 <intel96 () bellsouth net>
Date: Sun, 14 Aug 2005 08:46:35 -0400

Mike,

I wrote a virtual keyboard in C# for a security application and so far Icannot find any key logger that can obtain the password. I am suresomeone could write one, but they HAVE to obtained the button value andnot the form field value to obtain the password, because of extrasecurity features I added when the keyboard is used that password isprotected. Can you provide me some examples of key loggers that canobtain the button that was pressed (using the mousedown event) on avirtual keyboard and not what is sent to the form field box?

Thanks,

Intel96

mike () securityfocus com wrote:

Virtual Keyboards (ala Citibank.co.in) are not very useful. They provide absolutely no protection whatsoever against 
keyloggers.

I have been to the citibank.co.in site and it is clear that even though the virtual keyboard is dynamic, it still 
places characters into a form field. Keyloggers can easily read this and all other fields on the form as plain text.

It is highly misleading to give the appearance of security because the numbers are displayed in some pseudo-random 
fashion.

Someone posted here that it is unfair to criticize to discuss the security aspects of the virtual keyboard because 
there were no other viable alternatives. The exact quote was:

Quote:

"Seriously!! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is 
like saying something as if some other option will really make it hack proof. Can you suggest something really hackproof?? ... 
Huh!!

/quote

The fact that virtual keyboards are marketed as security devices or enhancements makes them fair game for discussion. 
An open consensus will determine whether they are as secure as claimed by their well-intentioned developers. Period.

There are many alternatives. Sharecube (self-plug) makes one as do many other companies.

Mike Podanoffsky
mike at sharecube dot com

Current thread:

Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)
  - RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
  - Re: Citi-Bank Virtual Keyboard (is useless) Neil Rowland (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Bipin Gautam (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Saqib Ali (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Cory Foy (Aug 15)
  - Re: Citi-Bank Virtual Keyboard (is useless) Andre Ludwig (Aug 15)
- <Possible follow-ups>
- Re: Re: Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)