Re: Citi-Bank Virtual Keyboard (is useless)

[Cory Foy <Cory.Foy () mobilehwy com>]

mike () securityfocus com wrote:
> I have been to the citibank.co.in site and it is clear that even though 
> the virtual keyboard is dynamic, it still places characters into a form 
> field. Keyloggers can easily read this and all other fields on the form 
> as plain text.

I'm curious - did you mean software or hardware keyloggers? If software, 
then I think it would be a reasonable protection for certain instances. 
For example, let's assume that you have an internet cafe who has a way 
to reload the OS image everytime a user logs off. I assume this would 
prevent software keyloggers from staying resident (if not, please say 
otherwise - I spend much more time in code than in security tools). So, 
with this big assumption, your only worry as a user is a hardware 
keylogger.

It would seem that if an admin can stop unauthorized software from being 
installed (and one can prevent their box from being own3d) then this is 
a reasonable level of security. Is it a pancea? No, I don't think so, 
any more than a firewall isn't going to help if the attack is coming 
from one of your admins. Phsyical security is number 1, and if you can 
assume that, then this solution doesn't seem so bad.

Cory