RE: Defeating Citibank Virtual Keyboard protection using screenshot method

[Nick FitzGerald <nick () virus-l demon co uk>]

Jim Harrison to "Int3":

> (copied here without permission)
> Step by Step Demo:
>
> - Download POC from http://tracingbug.com/downloads/citihook.zip and
> unzip to some directory
> - Launch citihook.exe, this will watch only
> https://www.online.citibank.co.in/ URL
>
> Effectively, "Let me install my malware on your machine to demonstrate
> how vulnerable it is."
>
> P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> The "problem" ceases to be a vulnerability at this point.

And again, in your subsequent response to a message from "Int3" I've 
not seen in the list:

> Granted, it's an interesting methodology, but until you can demonstrate
> circumvention of the CitiBank keylogger without installing code on the
> victim host, a threat is not indicated and cannot be taken seriously.
 
Jim -- you have _entirely_ missed the point.

Why did Citi introduce these "onscreen keyboards"?

Because a sizable chunk of its userbase was already infested with 
"keystroke logger" type malware, or at least there was a good chance 
this was, or may soon become*, the case...

Some bright cookie at Citi recognized** that if they made their users 
"type" by clicking their mouse on a "virtual keyboard" they would 
sidestep the capture of user credentials by the throngs of extant 
keylogger warez already out there.

"Int3" has shown a trivial way for the bad guys behind the keyloggers 
to subvert this sidestep.

You are right in suggesting that calling this "disclosure" a 
"vulnerability" is a tad "optimistic", but beyond having filed his 
disclosure in the "Vulnerability" section of his site, "Int3" does not 
actually use that word in describing this.

What "Int3" has shown (or, as others have already noted, "shown again"; 
IIRC, the first such discussion and PoC of the abject futility of OSK's 
as defeats for keylogger-compromised end-user systems I saw was back 
about 1999/2000) is that if the remote client system cannot be trusted, 
you cannot trust the remote client.  Whilst trivially correct and 
fundamentally obvious,*** I don't think it does any harm to repeat this 
truism in light of the stupidity of such large and potentially 
influential organizations as Citi adopting such obviously flawed and 
inadequate technology.

That is the point "Int3" was reiterating.  If the problem Citi's OSK is 
supposed to fix is actually that the bad guys already have, or can more 
or less easily get, arbitrary code onto the client machine, then 
changing the way the client user interacts with the machine does not 
solve the problem -- it simply changes the form of data capture the bad 
guys' arbitrary code has to perform.



*   It is well-known that, for example, many of the major South 
American banks have, for some time now, had a _massive_ problem with 
online banking-targetted keyloggers.

**  Or, perhaps more likely, some third-party sold Citi on their patent-
pending "anti-keylogger" technology.

*** Except, it seems, to sections of the banking IT fraternity and, if 
my previous footnote is correct, those who develop "security solutions" 
for the banking fraternity.




Regards,

Nick FitzGerald