[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <bf0173120705160347w54fc39fbw874e311d2e2ec6fb@mail.gmail.com>
Date: Wed, 16 May 2007 22:47:46 +1200
From: "Bojan Zdrnja" <bojan.zdrnja@...il.com>
To: nick@...us-l.demon.co.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: Defeating Citibank Virtual Keyboard protection using screenshot method
On 5/11/07, Nick FitzGerald <nick@...us-l.demon.co.uk> wrote:
> Sure, they're a lot more expensive and a lot more "high-tech" but
> unless they are doing end-to-end client and server authentication and
> strong crypto _AND_ have their own input and output devices that cannot
> be interfaced from the host OS _AND_ are required for verifying
> (virtually) every step of every transaction (in other words -- if you
> have any of the real-world implementations of banking OTP cards used
> anywhere in the world, the answer is "no"), they are effectively no
> better than the Citi OSK's as they are trivially MiTM'ed via on-client
> malware.
This actually isn't that hard to do properly and I already see some
banks doing it.
The key here is to tell the user what's going on an off the band method.
In other words, once a user decided to make a transaction, the bank
sends a challenge *and* transaction details *somehow* to him. The user
has to confirm the transaction by entering the proper challenge.
The "somehow" method can vary, but it looks that sending SMS messages
is hte most acceptable method today.
So, the user gets an SMS message with the challenge code and the
transaction details and enters that into his web browser. The attacker
behind his MiTM can't do anything - if he changes the transaction
before, the user will (hopefully) see it. If he changes the challenge,
the transaction will fail.
Cheers,
Bojan
Powered by blists - more mailing lists