Re: Citi-Bank Virtual Keyboard (is useless)

[Bipin Gautam <gautam.bipin () gmail com>]

If something has already 0wn3d your box... isn't that pointless to try
a solution & think it will 'hopefully' fool it? what are the
chances???

 I think its there to just win confidence of customers by showing fake
stuffs. If a computer security newbies find some sify fancy buttons,
dialog box & procedures he will mostlikely find it cool & assume it
should be trustworthy. I see it just as a stupid distraction to
promote users.


On 14 Aug 2005 02:53:35 -0000, mike () securityfocus com
<mike () securityfocus com> wrote:
> Virtual Keyboards (ala Citibank.co.in) are not very useful. They provide absolutely no protection whatsoever against 
> keyloggers.
>
> I have been to the citibank.co.in site and it is clear that even though the virtual keyboard is dynamic, it still 
> places characters into a form field. Keyloggers can easily read this and all other fields on the form as plain text.
>
> It is highly misleading to give the appearance of security because the numbers are displayed in some pseudo-random 
> fashion.
>
> Someone posted here that it is unfair to criticize to discuss the security aspects of the virtual keyboard because 
> there were no other viable alternatives. The exact quote was:
>
> Quote:
>
> "Seriously!! Have you understood the purpose of the original post?? Well, saying virtual keyboards don't help much is 
> like saying something as if some other option will really make it hack proof. Can you suggest something really 
> hackproof?? ... Huh!!
>
> /quote
>
> The fact that virtual keyboards are marketed as security devices or enhancements makes them fair game for discussion. 
> An open consensus will determine whether they are as secure as claimed by their well-intentioned developers. Period.
>
> There are many alternatives. Sharecube (self-plug) makes one as do many other companies.
>
> Mike Podanoffsky
> mike at sharecube dot com


-- 
---
Bipin Gautam
http://bipin.tk