WebApp Sec mailing list archives

RE: Defeating Citi-Bank Virtual Keyboard Protection

From: "Debasis Mohanty" <debasis () hackingspirits com>
Date: Mon, 15 Aug 2005 00:11:06 +0530

From: F Lace [mailto:flace9 () gmail com] brazenly wrote:
Citibank login works only in IE anyways, AFAIK.


This is wrong. CitiBank login is plain jsp and it very much work perfectly
in other browsers (Firefox, Opera etc...)  ;-)
In my own testing, Citibank's login worked on Firefox and Opera as well.
CB login link https://www.citibank.co.in/infojsp/login/guestlogin.jsp

the card number field doesnt require you to type through the virtual

keyboard. it is only the IPIN.

Fyi: the VKs can also be used for CC field and it is left upon the user to
decide whether to avail the feature or not. Other than that initially when
CitiBank introduced the concept of VK even the IPIN field was left upon the
user to decide whether to use the VK or the normal keyboard.

I have not tried your PoC, but is it something that can be installed in

the browser or computer system?

Unless that is so, I am not sure what this post really means. Please

clarify.

Hmmmm.....I would have been glad to explain you better if you would have
taken out some time to read the PoC before asking any such queries. Don't
you think it would be pointless to come up with so many queries without
having a background knowledge on the topic. Normally, I don't reply to such
mails however I replied because you posted to this group. I'm sure if you
read the PoC then all your queries will get answered well :) 



- D


-----Original Message-----
From: F Lace [mailto:flace9 () gmail com] 
Sent: Saturday, August 13, 2005 10:49 AM
To: Debasis Mohanty
Cc: webappsec () securityfocus com
Subject: Re: Defeating Citi-Bank Virtual Keyboard Protection

Note: This PoC is applied only for Internet Explorer users


Citibank login works only in IE anyways, AFAIK.

Proof of Concept:
Here I shall demonstrate how easily the Virtual Keyboard can be 
defeated by a simple program. I created a small program in VB 6.0 
(called
CitiPassLogger.exe) which can record not only the 16-Digit credit card 
but also the IPIN even if they are entered using the virtual keyboard.


the card number field doesnt require you to type through the virtual
keyboard. it is only the IPIN.

I have not tried your PoC, but is it something that can be installed in the
browser or computer system? Unless that is so, I am not sure what this post
really means. Please clarify.

Current thread:

Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
  - RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
    - Re: Defeating Citi-Bank Virtual Keyboard Protection Andrew van der Stock (Aug 12)
    - RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 13)
  - Message not available
    - Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
  - Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
    - Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
  - Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
    - Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 14)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)
  - Re: Defeating Citi-Bank Virtual Keyboard Protection Bipin Gautam (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 16)
  - Re: Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 16)