Bugtraq mailing list archives
RE: Defeating Citibank Virtual Keyboard protection using screenshot method
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 11 May 2007 22:37:40 +1200
Rogier Mulhuijzen wrote:
I'm surprised that banks use such simple things as passwords. Banks here in the Netherlands use things like one-time PINs, and challenge/response stuff that uses your chipped bank card. Seems a little safer to me.
Banks use such simple things because they are cost effective, or rather, the cost of doing anything genuinely more effective is so prohibitive that they won't be doing it unless required by legislation or until the cost of the fraud due to not doing it significantly outweighs the cost of doing it properly (I give them about another 3-5 years on that criterion). I'm pleased you like your Dutch bank's OTP cards/toggles/etc but are they really any better than the worthless CitiBank OSK? Sure, they're a lot more expensive and a lot more "high-tech" but unless they are doing end-to-end client and server authentication and strong crypto _AND_ have their own input and output devices that cannot be interfaced from the host OS _AND_ are required for verifying (virtually) every step of every transaction (in other words -- if you have any of the real-world implementations of banking OTP cards used anywhere in the world, the answer is "no"), they are effectively no better than the Citi OSK's as they are trivially MiTM'ed via on-client malware. Your smug belief in the superior security of your OTP card-based system is just as misplaced as that of anyone foolish enough to believe that Citi really ratcheted up the bar with its OSK. Now, imagine you have the choice of being a shareholder in your Dutch bank or Citi and on every other measure these banks rate the same -- Citi is a better deal as it uses less expensive tech to implement the same level of flawed "security" so should produce a better RoI... Now do you see why banks use such simple things as OSK's and your OTP card? Regards, Nick FitzGerald
Current thread:
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method, (continued)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Florian Weimer (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Ansgar -59cobalt- Wiechers (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method James C. Slora Jr. (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Debasis Mohanty (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 10)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Jan Heisterkamp (May 11)
- Re: Re: Defeating Citibank Virtual Keyboard protection using screenshot method yashks (May 09)
- Re: RE: Defeating Citibank Virtual Keyboard protection using screenshot method balazs . zolika (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Rogier Mulhuijzen (May 10)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Omar A. Herrera (May 11)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Hugo van der Kooij (May 12)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Seth (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Glynn Clements (May 15)
- RE: Defeating Citibank Virtual Keyboard protection using screenshot method Nick FitzGerald (May 11)
- Re: Defeating Citibank Virtual Keyboard protection using screenshot method Bojan Zdrnja (May 16)