| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050805223533.38DCCAD0@lists.grok.org.uk> Date: Fri Aug 5 23:35:39 2005 From: mail at hackingspirits.com (Debasis Mohanty) Subject: Defeating Citi-Bank Virtual Keyboard Protection Sweet and Simple - This is how this program works. A brief on the algo~m is given below - Step1: Enumerate all the IE windows and look for the one with CitiBank Login screen (This step is invoked when an IE is opened and a partucular URL is requested) Step2: If found then Create a HTML object Step3: Set the objEliment to 46 (For Credit Card No) and 61 (for IPIN) [Thes numbers are specific to CitiIndia Login page] Note: However, this can be modifed to work universally for Citi-UK and others Step: Retrieve value from those elements End That's all about the program logic. This runs very fast and hardly eats memory ;) Will possible update the source code sometime ... Keep watching !! - DM - -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of root Sent: Saturday, August 06, 2005 5:57 PM To: Peter Ferrie Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie wrote: > > > > >>>Recently I discovered a method to defeat the much hyped Citi-Bank >>>Virtual Keyboard Protection which the bank claimed that it defends >>>the customers against malicious programs like keyloggers, Trojans and >>>spywares etc. >>> >>> >>Wouldn't that be trivial to snoop on simply by making a trojan / >>spyware application that records a section of screen in the immediate >>proximity of mouse cursor on every mouse click? It's not that resource >>consuming, and easy to arrange. >> >> > >Something similar was done by variants of the W32/Dumaru family last year. >That was an attack against the e-Gold keypad. >You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > > This has already done in 1997 in 'proof of concept' form to do the screen capture process, when 2 Australian banks launched on-screen keypads. I understand the demo took an image of around 10 pixel +- th mouse click position. Nothing terribly new, concept-wise. Lyal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists