lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Aug  5 21:25:05 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Defeating Citi-Bank Virtual Keyboard Protection

>> Wouldn't that be trivial to snoop on simply by making a trojan / spyware
application that records a section of screen 
>> in the immediate proximity of mouse cursor on every mouse click? It's not
that resource consuming, and easy to 
>> arrange. 

Read the description section again, perhaps you have missed out the
following -
.	The Virtual Keyboard is dynamic
.	The sequence in which the numbers appears will change every time,
the page is refreshed

Hence, desiging something the way that you have proposed is not going to
workout here. Infact, that was the first thing any malicious program writer
will think of. 


>> My point is, although I have no practical experience with Citibank's
offering, I see nothing that was meant to be 
>> secure about it - they just bank (no pun intended) on the fact one would
need to target their logon mechanism 
>> specifically, and that generic keyloggers indeed fail to capture this
traffic.

I agread with the point that there is nothing much to they can do here to
secure it but however claiming that their protection is foolproof against
spywares is something I believe is vague. 



- DM - 

-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@...ne.ids.pl] 
Sent: Saturday, August 06, 2005 1:40 AM
To: Debasis Mohanty
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard
Protection

On Sat, 6 Aug 2005, Debasis Mohanty wrote:

> Recently I discovered a method to defeat the much hyped Citi-Bank 
> Virtual Keyboard Protection which the bank claimed that it defends the 
> customers against malicious programs like keyloggers, Trojans and 
> spywares etc.

Wouldn't that be trivial to snoop on simply by making a trojan / spyware
application that records a section of screen in the immediate proximity of
mouse cursor on every mouse click? It's not that resource consuming, and
easy to arrange.

Probably no programs do that routinely today, of course. My point is,
although I have no practical experience with Citibank's offering, I see
nothing that was meant to be secure about it - they just bank (no pun
intended) on the fact one would need to target their logon mechanism
specifically, and that generic keyloggers indeed fail to capture this
traffic. This is pretty good.

> Criticality: High

Huh?

/mz
http://lcamtuf.coredump.cx/silence/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ