lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <bf0173120705171413l3ea32e89n4aaa5d3f6e2a0a90@mail.gmail.com>
Date: Fri, 18 May 2007 09:13:34 +1200
From: "Bojan Zdrnja" <bojan.zdrnja@...il.com>
To: "aditya kuppa" <aditya1010@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Defeating Citibank Virtual Keyboard protection using screenshot method

Aditya,

On 5/18/07, aditya kuppa <aditya1010@...il.com> wrote:
> How about this Trojan ;)
>  http://www.hispasec.com/laboratorio/troyano_video_en.htm
> looks great method to get the Password if the inputs are
> scrambled,rotated randomly after each entry etc.
> Combination of trojan like this +a simple keylogger +a MITM can defeat
> all possible authentication mechanism Multi Factor,channel
> authentications like OTP,SMS based  logging   etc

Cute trojan, however, it cannot defeat an out of band challenge such
as SMS, unless it's not properly implemented or the attacker has under
control much more (in which case he doesn't really need to defeat this
at all).

The idea of the out of band challenge is that the user (the victim)
will receive an SMS message which will state exactly what's happening,
together with the authorization code. The code has to be unique and
the bank has to calculate the code depending on the transaction and
some secret (an MD5 hash would be enough).

An example of such an SMS message would be:

"You are about to transfer $100 to account number 12345678. Your
authorization code is: 9876543".

Now, the user has to enter this on the bank web site to complete the
transaction. If he doesn't do it in a certain time interval the
transaction is denied. If the authorization code is not correct, the
transaction is denied.

If the attacker changes anything through the MiTM, the user will see
it in the SMS message. If the attacker captures user's login
credentials and try to do this later (when the user is offline), the
user would receive the SMS message (which would hopefully alert him)
and the attacker would have to guess the authorization code to
complete the transaction (the bank can implement a lockout, for
example, if 3 incorrect authorization codes have been entered).


As you can see, this defeats all attacks. The attacker would have to
hack the SMS gateway/Telco in order to modify SMS messages sent which
is almost impossible or impractical.


Cheers,

Bojan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ