Re: [DCC SPAM] Defeating Citi-Bank Virtual Keyboard Protection

[Secure Science Corporation Bugtraq <bugtraq () securescience net>]

Well -

This Virtual Keyboard Protection doesn't protect against formlogging, 
which tends to be a very signficant and popular method for malware to 
"phish" the information.

Most people actually trying to sell software against "key logging" 
should look more into the evolution of phishing malware and they will 
see that this will be defeated by the majority of phishing malware 
already out there (berbew, haxdoor, PW Steal, etc).

-Lance

Debasis Mohanty wrote:

> Recently I discovered a method to defeat the much hyped Citi-Bank Virtual
> Keyboard Protection which the bank claimed that it defends the customers
> against malicious programs like keyloggers, Trojans and spywares etc. 
>
> Find the details below -
>
> Description: 
> Early this year, Citi-Bank introduced the concept of Virtual Keyboard to
> defend against malicious programs like keyloggers, Trojans and spywares etc.
> The bank claimed that this concept would improve the security of those using
> its Internet banking facilities. Various features of this Virtual Keyboard
> are - 
>
> .       The Virtual Keyboard is dynamic
> .       The sequence in which the numbers appears will change every time,
> the page is refreshed
> .       The Virtual Keyboard protects you from malicious 'Spy Ware' and
> 'Trojan Programs' designed to capture your keystrokes
> .       The Virtual Keyboard eliminates this risk and makes your Citibank
> login that much safer and provides for a secure online banking experience
>
> However, the Virtual Keyboard concept can be easily defeated by using Win32
> APIs to access HTML documents. Refer the PoC (Proof of Concept) section for
> more details. 
>
> Criticality: High
>
> Platform: Windows XP (SP2) + IE 6.0
>
> Note: This PoC is applied only for Internet Explorer users
>
> Proof of Concept: 
> Here I shall demonstrate how easily the Virtual Keyboard can be defeated by
> a simple program. I created a small program in VB 6.0 (called
> CitiPassLogger.exe) which can record not only the 16-Digit credit card but
> also the IPIN even if they are entered using the virtual keyboard.
>
> Currently, this program has been developed to log only the IPIN details of
> Citi-Bank India but the code can be modified to make it work universally for
> all the Citi-Bank sites with Virtual Keyboard login. 
>
> As per my knowledge, there are no such keyloggers or spywares which uses any
> technique to defeat virtual keyboards. However, the technique that I am
> going to discuss here can be used by malicious program writers to write next
> generation viruses / worms to defeat such virtual keyboard protections.
> Hence, I hope people who are using Virtual Keybords shouldn't stay very
> over-confident. 
>
> Download the complete PoC and the tool from the following link: 
> http://www.hackingspirits.com/vuln-rnd/defeat-citibank-vk.zip
>
> For more vulnerabilities, visit
> http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
>
>
> History: 
> 3rd August, 2005: Vendor was contacted but no response till today. 
>
>
> Cheers, 
> Debasis Mohanty (a.k.a Tr0y)
> www.hackingspirits.com 
>
>
>
>  


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!