WebApp Sec mailing list archives
Re: Citi-Bank Virtual Keyboard (is useless)
From: Neil Rowland <rowland () blcss com>
Date: 14 Aug 2005 20:14:13 -0400
I think the point is the virtual keyboard is generating window messages such as WM_KEYDOWN, WM_KEYUP, WM_CHAR to emulate key presses. These messages can be intercepted by a system hook, but only if the PC is already compromised. Same as a key logger in practice. On Sun, 2005-08-14 at 08:46, intel96 wrote:
Mike, I wrote a virtual keyboard in C# for a security application and so far I cannot find any key logger that can obtain the password. I am sure someone could write one, but they HAVE to obtained the button value and not the form field value to obtain the password, because of extra security features I added when the keyboard is used that password is protected. Can you provide me some examples of key loggers that can obtain the button that was pressed (using the mousedown event) on a virtual keyboard and not what is sent to the form field box? Thanks, Intel96 mike () securityfocus com wrote:Virtual Keyboards (ala Citibank.co.in) are not very useful. They provide absolutely no protection whatsoever against keyloggers. I have been to the citibank.co.in site and it is clear that even though the virtual keyboard is dynamic, it still places characters into a form field. Keyloggers can easily read this and all other fields on the form as plain text. It is highly misleading to give the appearance of security because the numbers are displayed in some pseudo-random fashion. Someone posted here that it is unfair to criticize to discuss the security aspects of the virtual keyboard because there were no other viable alternatives. The exact quote was: Quote: "Seriously!! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is like saying something as if some other option will really make it hack proof. Can you suggest something really hackproof?? ... Huh!! /quote The fact that virtual keyboards are marketed as security devices or enhancements makes them fair game for discussion. An open consensus will determine whether they are as secure as claimed by their well-intentioned developers. Period. There are many alternatives. Sharecube (self-plug) makes one as do many other companies. Mike Podanoffsky mike at sharecube dot com
-- Neil Rowland <rowland () blcss com> Bottom Line Computer
Current thread:
- Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Neil Rowland (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Bipin Gautam (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Saqib Ali (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Cory Foy (Aug 15)
- Re: Citi-Bank Virtual Keyboard (is useless) Andre Ludwig (Aug 15)
- <Possible follow-ups>
- Re: Re: Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)