Re: Defeating Citi-Bank Virtual Keyboard Protection

[F Lace <flace9 () gmail com>]

Apologies for posting on the topic without going through the PoC in
detail, as I was in a hurry.. I have now gone through the Poc and I
have the following comment:

The Poc doesnt include the implementation details, so my response is
based on my guess on the implementation and again may not be very
correct - advance apologies for that :)

A true keyboard logger is one that logs the keys as they are typed.
This itself is not enough in providing security to the keys typed - so
a quick transformation of the keystrokes to another format that is
more secure(eg., MD5-ing if possible) is highly desirable for storage
in memory and also for transmission. If the PoC is obtaining the IPIN
from the HTML through some IE tricks, then that may not be sufficient
to get the password from the sites(login.yahoo.com) that encrypt the
password before sending across.

So I am curious to know if the concept in PoC can obtain passwords
from sites that encrypt it before sending out, and also if the concept
in PoC is IE specific or can be extended to Firefox too(ie., does it
exploit IE or Windows)?

Thanks!