lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 16 May 2007 22:47:46 +1200
From: "Bojan Zdrnja" <bojan.zdrnja@...il.com>
To: nick@...us-l.demon.co.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: Defeating Citibank Virtual Keyboard protection using screenshot method

On 5/11/07, Nick FitzGerald <nick@...us-l.demon.co.uk> wrote:
> Sure, they're a lot more expensive and a lot more "high-tech" but
> unless they are doing end-to-end client and server authentication and
> strong crypto _AND_ have their own input and output devices that cannot
> be interfaced from the host OS _AND_ are required for verifying
> (virtually) every step of every transaction (in other words -- if you
> have any of the real-world implementations of banking OTP cards used
> anywhere in the world, the answer is "no"), they are effectively no
> better than the Citi OSK's as they are trivially MiTM'ed via on-client
> malware.

This actually isn't that hard to do properly and I already see some
banks doing it.
The key here is to tell the user what's going on an off the band method.

In other words, once a user decided to make a transaction, the bank
sends a challenge *and* transaction details *somehow* to him. The user
has to confirm the transaction by entering the proper challenge.
The "somehow" method can vary, but it looks that sending SMS messages
is hte most acceptable method today.

So, the user gets an SMS message with the challenge code and the
transaction details and enters that into his web browser. The attacker
behind his MiTM can't do anything - if he changes the transaction
before, the user will (hopefully) see it. If he changes the challenge,
the transaction will fail.

Cheers,

Bojan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ