Bugtraq mailing list archives
RE: Defeating Citibank Virtual Keyboard protection using screenshot method
From: "Rogier Mulhuijzen" <rogier.mulhuijzen () office casema nl>
Date: Thu, 10 May 2007 13:06:47 +0200
The point Yash is trying to make is that the Virtual Keyboard doesn't give any protection from malware. And the idea behind the Virtual Keyboard is that it protects you from malware like keyloggers. Gadi pointed out in his first email that this is not really new, and that there's other ways that don't even require taking screenshots. So there's no threat without code installation, but the virtual keyboard is supposed to defeat code installations. I'm surprised that banks use such simple things as passwords. Banks here in the Netherlands use things like one-time PINs, and challenge/response stuff that uses your chipped bank card. Seems a little safer to me. Cheers, Rogier
-----Original Message----- From: Jim Harrison [mailto:Jim () isatools org] Sent: woensdag 9 mei 2007 23:20 To: Gadi Evron Cc: Int3; bugtraq () securityfocus com Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method Without getting into SMTP latency comparisons... Perhaps I missed something, but where is the threat demonstrated sans code installation? I'm not trying to disparage anyone's work, but as you yourself pointed out, there is nothing demonstrated here that doesn't qualify as common malware. -----Original Message----- From: Gadi Evron [mailto:ge () linuxbox org] Sent: Wednesday, May 09, 2007 1:42 PM To: Jim Harrison Cc: Int3; bugtraq () securityfocus com Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method On Wed, 9 May 2007, Jim Harrison wrote:Granted, it's an interesting methodology, but until you candemonstratecircumvention of the CitiBank keylogger without installing code on
the
victim host, a threat is not indicated and cannot be taken
seriously.
Even though I was the first to point out this is old news for the malware scene in online/e fraud, I'd be the first to bow down before Int3 and say "thank you for sharing your work with us". Many don't. But your point above: "without installing malware on the victim host" Although true on some level, is bogus for the purpose of this work, as it being written makes an automatic assumtion on working only after
malware
is installed. Although you are right, in practice this is already an heavily abused technology, and.. 'Getting malware on a system', who ever heard of such a ridiculous idea? :) Gadi.-----Original Message----- From: Int3 [mailto:yashks () gmail com] Sent: Wednesday, May 09, 2007 11:14 AM To: Jim Harrison Cc: bugtraq () securityfocus com Subject: Re: Defeating Citibank Virtual Keyboard protection using screenshot method This is not malware, it will only help people to experiment and seetheresult without writing one for themself. Regards, Yash K.S On 5/9/07, Jim Harrison <Jim () isatools org> wrote: (copied here without permission) Step by Step Demo: - Download POC from http://tracingbug.com/downloads/citihook.zip <http://tracingbug.com/downloads/citihook.zip> and unzip to some directory - Launch citihook.exe, this will watch only https://www.online.citibank.co.in/ URL Effectively, "Let me install my malware on your machine to demonstrate how vulnerable it is." P-p-p-p-p-p-leeeze (three anti-social points for that quote)! The "problem" ceases to be a vulnerability at this point. -----Original Message----- From: yashks () gmail com [mailto:yashks () gmail com] Sent: Monday, May 07, 2007 3:03 AM To: bugtraq () securityfocus com <mailto:bugtraq () securityfocus com> Subject: Defeating Citibank Virtual Keyboard protection using screenshot method Severity: Critical Platforms Affected: Microsoft Corporation: Windows 98 Any version Microsoft Corporation: Windows Me Any version Microsoft Corporation: Windows XP Any version Microsoft Corporation: Windows 2000 Any version Microsoft Corporation: Windows 2003 Any version Microsoft Corporation: Windows NT 4.0 Any version Citi-Bank: Citi-Bank Virtual Keyboard Any version Browsers: Microsoft Internet Explorer Any version Mozilla FireFox Any version Any browser runs on Win32 platform ( With slight modification ) Original URL : http://www.tracingbug.com/index.php/articles/view/23.html Regards, Yash K.S <yashks () gmail com > | www.tracingbug.com All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.All mail to and from this domain is GFI-scanned.
This e-mail message and its attachments are subject to the disclaimer published at the following website of Casema: http://www.casema.nl/disclaimer
Current thread:
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method David Gillett (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Florian Weimer (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Ansgar -59cobalt- Wiechers (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method James C. Slora Jr. (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Debasis Mohanty (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Omar A. Herrera (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Hugo van der Kooij (May 12)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)