| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Aug 5 23:27:20 2005 From: lyal.collins at key2it.com.au (root) Subject: Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie wrote: > > > > >>>Recently I discovered a method to defeat the much hyped Citi-Bank >>>Virtual Keyboard Protection which the bank claimed that it defends the >>>customers against malicious programs like keyloggers, Trojans and >>>spywares etc. >>> >>> >>Wouldn't that be trivial to snoop on simply by making a trojan / spyware >>application that records a section of screen in the immediate proximity of >>mouse cursor on every mouse click? It's not that resource consuming, and >>easy to arrange. >> >> > >Something similar was done by variants of the W32/Dumaru family last year. >That was an attack against the e-Gold keypad. >You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > > This has already done in 1997 in 'proof of concept' form to do the screen capture process, when 2 Australian banks launched on-screen keypads. I understand the demo took an image of around 10 pixel +- th mouse click position. Nothing terribly new, concept-wise. Lyal
Powered by blists - more mailing lists