lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri Aug  5 23:35:39 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Defeating Citi-Bank Virtual Keyboard Protection

Sweet and Simple - This is how this program works. 

A brief on the algo~m is given below - 

Step1: Enumerate all the IE windows and look for the one with CitiBank Login
screen (This step is invoked when an IE is opened and a partucular URL is
requested)

Step2: If found then Create a HTML object

Step3: Set the objEliment to 46 (For Credit Card No) and 61 (for IPIN) [Thes
numbers are specific to CitiIndia Login page]	Note: However, this can be
modifed to work universally for Citi-UK and others

Step: Retrieve value from those elements 

End

That's all about the program logic. This runs very fast and hardly eats
memory ;)

Will possible update the source code sometime ... Keep watching !!

- DM -

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of root
Sent: Saturday, August 06, 2005 5:57 PM
To: Peter Ferrie
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard
Protection

Peter Ferrie wrote:

>
>
>  
>
>>>Recently I discovered a method to defeat the much hyped Citi-Bank 
>>>Virtual Keyboard Protection which the bank claimed that it defends 
>>>the customers against malicious programs like keyloggers, Trojans and 
>>>spywares etc.
>>>      
>>>
>>Wouldn't that be trivial to snoop on simply by making a trojan / 
>>spyware application that records a section of screen in the immediate 
>>proximity of mouse cursor on every mouse click? It's not that resource 
>>consuming, and easy to arrange.
>>    
>>
>
>Something similar was done by variants of the W32/Dumaru family last year.
>That was an attack against the e-Gold keypad.
>You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>  
>
This has already done in 1997 in 'proof of concept' form to do the screen
capture process, when 2 Australian banks launched on-screen keypads.
I understand the demo took an image of around 10 pixel +- th mouse click
position.

Nothing terribly new, concept-wise.

Lyal
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ