WebApp Sec mailing list archives
RE: Citi-Bank Virtual Keyboard (is useless)
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sun, 14 Aug 2005 22:53:02 +0530
Mike,
I wrote a virtual keyboard in C# for a security application and so far I
cannot find any key logger that can obtain
the password. I am sure someone could write one, but they HAVE to
obtained the button value and not the form field
value to obtain the password, because of extra security features I added
when the keyboard is used that password is
protected.
lol !! Release the apps to the internet or if it is used widely (preferrably any financial organisation) then I am sure if it attract the malicious program writers then it will hardly take few mins to write a KLs. ;-) - D -----Original Message----- From: intel96 [mailto:intel96 () bellsouth net] Sent: Sunday, August 14, 2005 6:17 PM To: mike () securityfocus com; webappsec () securityfocus com; com () securityfocus com Subject: Re: Citi-Bank Virtual Keyboard (is useless) Mike, I wrote a virtual keyboard in C# for a security application and so far I cannot find any key logger that can obtain the password. I am sure someone could write one, but they HAVE to obtained the button value and not the form field value to obtain the password, because of extra security features I added when the keyboard is used that password is protected. Can you provide me some examples of key loggers that can obtain the button that was pressed (using the mousedown event) on a virtual keyboard and not what is sent to the form field box? Thanks, Intel96 mike () securityfocus com wrote:
Virtual Keyboards (ala Citibank.co.in) are not very useful. They provide
absolutely no protection whatsoever against keyloggers.
I have been to the citibank.co.in site and it is clear that even though the
virtual keyboard is dynamic, it still places characters into a form field. Keyloggers can easily read this and all other fields on the form as plain text.
It is highly misleading to give the appearance of security because the
numbers are displayed in some pseudo-random fashion.
Someone posted here that it is unfair to criticize to discuss the security
aspects of the virtual keyboard because there were no other viable alternatives. The exact quote was:
Quote: "Seriously!! Have you understood the purpose of the original post?? Well,
saying virtual keyboards don't help much is like saying something as if some other option will really make it hack proof. Can you suggest something really hackproof?? ... Huh!!
/quote The fact that virtual keyboards are marketed as security devices or
enhancements makes them fair game for discussion. An open consensus will determine whether they are as secure as claimed by their well-intentioned developers. Period.
There are many alternatives. Sharecube (self-plug) makes one as do many
other companies.
Mike Podanoffsky mike at sharecube dot com
Current thread:
- Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Neil Rowland (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Bipin Gautam (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Saqib Ali (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Cory Foy (Aug 15)
- Re: Citi-Bank Virtual Keyboard (is useless) Andre Ludwig (Aug 15)
- <Possible follow-ups>
- Re: Re: Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)