Re: Defeating Citi-Bank Virtual Keyboard Protection

[Daniel Bonekeeper <thehazard () gmail com>]

First, seems that this kind of "virtual keybord" is, by design, weak.
The data posted to the webserver is the same as the content on the
IPIN field (there is no such a encoding or another thing to mask what
was typed). A more secure example of a virtual keyboard can be found
at:

https://www2.bancobrasil.com.br/aapf/aai/login.pbk

On this form, the "virtual keyboard" is a java applet that can receive
a variable ammount of digits, and when a POST is requested, the typed
data is encoded by someway... So, a PIN like "123456" is sent as
"EISYWb", as we can see at "senhaConta":

POST /aapf/aai/login.pbk HTTP/1.1
Host: www2.bancobrasil.com.br
Content-Type: application/x-www-form-urlencoded
Content-Length: 169
titular=01&numeroContratoOrigem=431231&dependenciaOrigem=3123123123&senhaConta=EISYWb&botaoOk.x=&numCod=2&valorContr=4&botaoEntra.x=20&botaoEntra.y=8&paginaComErro=false

And after that, if we post the same PIN, we're gonna get something
different like "EIQTUe", which means that neither looking at the HTML
source code, look for field values, hook the keyboard of trap the data
that is being posted will work in that case. It's not a 100% safe
method, but is safer than the Indian CitiBank virtual keyboard.


-- 
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil