WebApp Sec mailing list archives
RE: Defeating Citi-Bank Virtual Keyboard Protection
From: "Debasis Mohanty" <debasis () hackingspirits com>
Date: Mon, 15 Aug 2005 00:11:06 +0530
From: F Lace [mailto:flace9 () gmail com] brazenly wrote: Citibank login works only in IE anyways, AFAIK.
This is wrong. CitiBank login is plain jsp and it very much work perfectly in other browsers (Firefox, Opera etc...) ;-) In my own testing, Citibank's login worked on Firefox and Opera as well. CB login link https://www.citibank.co.in/infojsp/login/guestlogin.jsp
the card number field doesnt require you to type through the virtual
keyboard. it is only the IPIN. Fyi: the VKs can also be used for CC field and it is left upon the user to decide whether to avail the feature or not. Other than that initially when CitiBank introduced the concept of VK even the IPIN field was left upon the user to decide whether to use the VK or the normal keyboard.
I have not tried your PoC, but is it something that can be installed in
the browser or computer system?
Unless that is so, I am not sure what this post really means. Please
clarify. Hmmmm.....I would have been glad to explain you better if you would have taken out some time to read the PoC before asking any such queries. Don't you think it would be pointless to come up with so many queries without having a background knowledge on the topic. Normally, I don't reply to such mails however I replied because you posted to this group. I'm sure if you read the PoC then all your queries will get answered well :) - D -----Original Message----- From: F Lace [mailto:flace9 () gmail com] Sent: Saturday, August 13, 2005 10:49 AM To: Debasis Mohanty Cc: webappsec () securityfocus com Subject: Re: Defeating Citi-Bank Virtual Keyboard Protection
Note: This PoC is applied only for Internet Explorer users
Citibank login works only in IE anyways, AFAIK.
Proof of Concept: Here I shall demonstrate how easily the Virtual Keyboard can be defeated by a simple program. I created a small program in VB 6.0 (called CitiPassLogger.exe) which can record not only the 16-Digit credit card but also the IPIN even if they are entered using the virtual keyboard.
the card number field doesnt require you to type through the virtual keyboard. it is only the IPIN. I have not tried your PoC, but is it something that can be installed in the browser or computer system? Unless that is so, I am not sure what this post really means. Please clarify.
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Andrew van der Stock (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 13)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 12)
- Message not available
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Saqib Ali (Aug 12)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection intel96 (Aug 12)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 14)
- Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 15)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bipin Gautam (Aug 15)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection mike (Aug 16)
- Re: Re: Defeating Citi-Bank Virtual Keyboard Protection F Lace (Aug 16)