WebApp Sec mailing list archives
Re: Citi-Bank Virtual Keyboard (is useless)
From: Andre Ludwig <andre.ludwig () gmail com>
Date: Mon, 15 Aug 2005 15:16:58 -0400
here is an old email i sent out to the OWASP Washington list a while back that discusses a similar system. Disclaimer, this is overly complex, and horribly insecure, but it was fun none the less. What it does is basically you create an expression that is compared against a value that is stored. If the expression returns back "true" then you allow access. Horrible huh.. Anyways thought i would share the idea since everyone is blabbing about virtual keyboards and the such, maybe you guys could build upon, take apart, the stupid idea i had a while back. That being said i give you the email in all its glory.. [quoted text] A pretty slick little scheme I saw on a brasilian bank was as follows.
From what I could tell it did the following. (I didn't look at the
source code and was just watching someone use the site) When a user logged into his bank account via the website they were redirected to a ssl "secured" server. Then they were prompted for a means to authenticate there account information (bank number, and account number). They were then brought to a page that asked them for a password. Once that was submitted they were brought to a page that required them to enter in a pin. Here was the cool part, there wasn't the full 10 key pin pad, it was 4 or 5 little boxes that allowed for 1-3 4-5 6-7 8 9-0, you then typed in the pin number that had been assigned to you. Every single time the values of the boxes would change, and their placement would change as well. So the next time the user logged in it would be 4-6 1-2 3 9-0 7-8, and so forth. They could have been basing the placement and spread of the numbers on the pin pad by computing a hash based on ip address, timestamp, browser type. For instance take that information and hash it (e756dfe6dbd620d0edd5697140fa2747) and drop the last 2 digits to create a 30 char long string. E756dfe6dbd620d0edd5697140fa27 Then cut the string up into portions of 6 char (one segment for each keypad, meaning 6 characters per string now). E756df e6dbd6 20d0ed d56971 40fa27 Take that chunk of numbers hash them. and letters and add them up (letters could have aprox value, a=1 b=2 c=3, etc, 0 would equal 10). Then compare the values to a "framework" that decides if a value falls in-between x-y then it will inherit the value associated to it. 1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c 3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce 4th place holder = d56971 = 757783bc51a49035b2624d7c73763140 5th place holder = 40fa27 = 47a4840a8594557e37a6213f122711a2 So now we have 5 values, we then sum each of these values (letters could = their aprox placement, or you could get jiggy wit it and create some custom based value system for alphas) and compare it to a "value matrix" to decide what numbers would be displayed for what keypad, and what the placement of those keypads would be. 1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 = 129 2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c = 159 3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce = 173 4th place holder = d56971 = 757783bc51a49035b2624d7c73763140 = 151 5th place holder = 40fa27 = 47a4840a8594557e37a6213f122711a2 = 143 We could then take those values and add the single numbers together to get a sum for each value. 1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 = 129 = (1+2+9) 12 2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c = 159 = (1+5+9) 15 3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce = 173 = (1+7+3) 11 4th place holder = d56971 = 757783bc51a49035b2624d7c73763140 = 151 = (1+5+1) 7 5th place holder = 40fa27 = 47a4840a8594557e37a6213f122711a2 = 143 = (1+4+3) 8 Now since we have already gotten it down to single chars we will use the last two places for the numbers 7 and 8. That still leaves the first three places open. X X X 7 8 (is what would be displayed at this point) 1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 = 129 = (1+2+9) 12 2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c = 159 = (1+5+9) 15 3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce = 173 = (1+7+3) 11 So we now know that the following ranges need to be represented (since we have all ready added 7 and 8 to the "pin pad" that is displayed to the user) 1-6 9-0 Since the second range of numbers (9-0) contains no more then 2 numbers we have no need to break it out into smaller ranges. We can then assign that range of numbers to the place holder that has the highest (or lowest) value. (I picked highest so 9-0 will be assigned to the 2nd place holder) So the pin pad would now look like. X 9-0 X 7 8 So now we just have to break out that last range into a range of numbers and assign the placement for those numbers. Since there is 6 numbers involved and 2 places left we can figure out with a simple division function how large the range of numbers has to be. (2 ranges of 3 numbers) So we now have two ranges 1-3 4-6. We simply assign them the first to the place that has the highest value, and the last one goes to what is left. So we now have a pin pad that looks as follows. 1-3 9-0 4-6 7 8 Now based on the input of the user we can build a regular expression to compare the pin(now a regular expression) that was entered via the pin pad with the real one. With never having to actually compare the real pins. As we can see if the regular expression matches the criteria of the one in the database. IE If the pin was 9821 the placeholders that should have been struck would be. 2nd place 5th place 1st place 1st place Since we know the RANGE of these values and not the actual pin we have a layer of security. Granted its not perfect (we could make it stronger by not allowing any single digits to be displayed, and using a 4 place holder system, or even adding alphas to it as well) as portion of the pin are revealed. Blah anyways I don't have nuff time to finish off this flight of fancy, maybe some of you guys could throw some ideas my way on it. Just sort of came to me while musing how said website did their authentication. Granted I don't think it is anywhere near as complex as what I have here but who knows. And as another disclaimer, I added the values for those hashes in my heads so they are prob completely borked. Pinky da Brain [/quoted text] Anyone get that? haha WAY TO COMPLEX, and after re reading it i could see how you could add another layer of security by not storing the pin value but rather a "notion" of what that value "could" be. Not that doing that would be very effective as you would still have a small "search space" for the real value if that was to be compromised, but coupled with a proper fraud detection program that could be enough room to allow you to be alerted before an actual compromise. (assuming you can build such a system into the system using such a system.. haha) Anyways tear it up guys, im curious to see what you guys think of my dumbass idearz... Dre On 8/15/05, Cory Foy <Cory.Foy () mobilehwy com> wrote:
mike () securityfocus com wrote:I have been to the citibank.co.in site and it is clear that even though the virtual keyboard is dynamic, it still places characters into a form field. Keyloggers can easily read this and all other fields on the form as plain text.I'm curious - did you mean software or hardware keyloggers? If software, then I think it would be a reasonable protection for certain instances. For example, let's assume that you have an internet cafe who has a way to reload the OS image everytime a user logs off. I assume this would prevent software keyloggers from staying resident (if not, please say otherwise - I spend much more time in code than in security tools). So, with this big assumption, your only worry as a user is a hardware keylogger. It would seem that if an admin can stop unauthorized software from being installed (and one can prevent their box from being own3d) then this is a reasonable level of security. Is it a pancea? No, I don't think so, any more than a firewall isn't going to help if the attack is coming from one of your admins. Phsyical security is number 1, and if you can assume that, then this solution doesn't seem so bad. Cory
Current thread:
- Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Neil Rowland (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Bipin Gautam (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Saqib Ali (Aug 14)
- RE: Citi-Bank Virtual Keyboard (is useless) Debasis Mohanty (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) Cory Foy (Aug 15)
- Re: Citi-Bank Virtual Keyboard (is useless) Andre Ludwig (Aug 15)
- <Possible follow-ups>
- Re: Re: Citi-Bank Virtual Keyboard (is useless) mike (Aug 14)
- Re: Citi-Bank Virtual Keyboard (is useless) intel96 (Aug 14)