WebApp Sec mailing list archives
RE: Defeating Citi-Bank Virtual Keyboard Protection
From: "Debasis Mohanty" <debasis () hackingspirits com>
Date: Sat, 13 Aug 2005 01:11:58 +0530
Saqib Ali [mailto:docbook.xml () gmail com] wrote: Virtual keyboards don't help much.
Seriously !! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is like saying something as if someother option will really make it hackproof.. Can you suggest something really hackproof?? ... Huh !! Virtual keyboards have defenitely improved the security when compared to ordinary login systems. However, it requires some improvement. Now incase of CitiBank, they created lot of hype about it and that somewhat reduces the fear in end-users against keyloggers. The idea of the original post was to demonstrate that these concepts are not foolproof and people still needs to be cautious.
Tools similar to what you have developed have existed for a while now.
See http://www.lostpassword.com/asterisk.htm
, it does the same thing as your CitiPassLogger.exe . And it works
regardless of the input method. I am sure, you haven't gone through the PoC thoroughly. It is clearly mentioned that the tool is only for demo purpose and is designed to display the IPIN and the CC number of CitiBank India, however the code can be modified to retrieve information from any citibank site using the same concept. (Similarly, the concept is applied to all other sites using the same concept). Now as far as the program asterisk is concerned, what it has to do with keyloggers. Maybe it is created keeping in mind to retrieve the saved passwords in the login screens. Infact "asterisk" can only retrieve the password once you have punched in the pwds and then try to retrieve however, the CitiPassLogger.exe displays everything in real-time. I hope, it is clear now. - DM - -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Friday, August 12, 2005 9:42 PM To: Debasis Mohanty Cc: webappsec () securityfocus com Subject: Re: Defeating Citi-Bank Virtual Keyboard Protection Virtual keyboards don't help much. Tools similar to what you have developed have existed for a while now. See http://www.lostpassword.com/asterisk.htm , it does the same thing as your CitiPassLogger.exe . And it works regardless of the input method. On 8/5/05, Debasis Mohanty <debasis () hackingspirits com> wrote:
Recently I discovered a method to defeat the much hyped Citi-Bank Virtual Keyboard Protection which the bank claimed that it defends the customers against malicious programs like keyloggers, Trojans and spywares
etc. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Andrew van der Stock (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 13)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Message not available
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)