| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Aug 5 21:50:54 2005 From: lcamtuf at dione.ids.pl (Michal Zalewski) Subject: Defeating Citi-Bank Virtual Keyboard Protection On Sat, 6 Aug 2005, Debasis Mohanty wrote: > Read the description section again, perhaps you have missed out the > following - > . The Virtual Keyboard is dynamic > . The sequence in which the numbers appears will change every time, > the page is refreshed > > Hence, desiging something the way that you have proposed is not going to > workout here. Again, I might be wrong (I am not a Citibank customer), but I understand that, when you visit the logon page, you're presented with an on-screen keypad with keys in randomized and possibly constantly changing (dynamic) order, and must enter your PIN or other authentication data by clicking appropriate on-screen keys using your mouse. What I proposed (and I'm sure I'm not innovative here) went along the lines of hooking up and intercepting the mouse click button, and then, at the exact moment of mouse click, capturing the position of the mouse pointer, and a bitmap of its nearest surroundings - ideally, before the event is delivered to the browser window. That should work regardless of the method used to shuffle displayed keys, is very much workable on Windows and under X11, and shouldn't be particularly resource or bandwidth consuming. This is a generalised way of snooping virtual keyboards and similar on-screen mouse-driven input interfaces. Cheers, /mz http://lcamtuf.coredump.cx/
Powered by blists - more mailing lists