Bugtraq mailing list archives
RE: Defeating Citibank Virtual Keyboard protection using screenshot method
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 10 May 2007 11:14:04 +1200
Jim Harrison to "Int3":
(copied here without permission) Step by Step Demo: - Download POC from http://tracingbug.com/downloads/citihook.zip and unzip to some directory - Launch citihook.exe, this will watch only https://www.online.citibank.co.in/ URL Effectively, "Let me install my malware on your machine to demonstrate how vulnerable it is." P-p-p-p-p-p-leeeze (three anti-social points for that quote)! The "problem" ceases to be a vulnerability at this point.
And again, in your subsequent response to a message from "Int3" I've not seen in the list:
Granted, it's an interesting methodology, but until you can demonstrate circumvention of the CitiBank keylogger without installing code on the victim host, a threat is not indicated and cannot be taken seriously.
Jim -- you have _entirely_ missed the point. Why did Citi introduce these "onscreen keyboards"? Because a sizable chunk of its userbase was already infested with "keystroke logger" type malware, or at least there was a good chance this was, or may soon become*, the case... Some bright cookie at Citi recognized** that if they made their users "type" by clicking their mouse on a "virtual keyboard" they would sidestep the capture of user credentials by the throngs of extant keylogger warez already out there. "Int3" has shown a trivial way for the bad guys behind the keyloggers to subvert this sidestep. You are right in suggesting that calling this "disclosure" a "vulnerability" is a tad "optimistic", but beyond having filed his disclosure in the "Vulnerability" section of his site, "Int3" does not actually use that word in describing this. What "Int3" has shown (or, as others have already noted, "shown again"; IIRC, the first such discussion and PoC of the abject futility of OSK's as defeats for keylogger-compromised end-user systems I saw was back about 1999/2000) is that if the remote client system cannot be trusted, you cannot trust the remote client. Whilst trivially correct and fundamentally obvious,*** I don't think it does any harm to repeat this truism in light of the stupidity of such large and potentially influential organizations as Citi adopting such obviously flawed and inadequate technology. That is the point "Int3" was reiterating. If the problem Citi's OSK is supposed to fix is actually that the bad guys already have, or can more or less easily get, arbitrary code onto the client machine, then changing the way the client user interacts with the machine does not solve the problem -- it simply changes the form of data capture the bad guys' arbitrary code has to perform. * It is well-known that, for example, many of the major South American banks have, for some time now, had a _massive_ problem with online banking-targetted keyloggers. ** Or, perhaps more likely, some third-party sold Citi on their patent- pending "anti-keylogger" technology. *** Except, it seems, to sections of the banking IT fraternity and, if my previous footnote is correct, those who develop "security solutions" for the banking fraternity. Regards, Nick FitzGerald
Current thread:
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Jim Harrison (May 09)
- Message not available
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Jim Harrison (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Gadi Evron (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Jim Harrison (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Gadi Evron (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method David Gillett (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Florian Weimer (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Ansgar -59cobalt- Wiechers (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method James C. Slora Jr. (May 11)
- Message not available
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Jim Harrison (May 09)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Debasis Mohanty (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Omar A. Herrera (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Hugo van der Kooij (May 12)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)