lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0508052204250.26269@dione>
Date: Fri Aug  5 21:10:31 2005
From: lcamtuf at dione.ids.pl (Michal Zalewski)
Subject: Defeating Citi-Bank Virtual Keyboard Protection

On Sat, 6 Aug 2005, Debasis Mohanty wrote:

> Recently I discovered a method to defeat the much hyped Citi-Bank
> Virtual Keyboard Protection which the bank claimed that it defends the
> customers against malicious programs like keyloggers, Trojans and
> spywares etc.

Wouldn't that be trivial to snoop on simply by making a trojan / spyware
application that records a section of screen in the immediate proximity of
mouse cursor on every mouse click? It's not that resource consuming, and
easy to arrange.

Probably no programs do that routinely today, of course. My point is,
although I have no practical experience with Citibank's offering, I see
nothing that was meant to be secure about it - they just bank (no pun
intended) on the fact one would need to target their logon mechanism
specifically, and that generic keyloggers indeed fail to capture this
traffic. This is pretty good.

> Criticality: High

Huh?

/mz
http://lcamtuf.coredump.cx/silence/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ