Re: Citi-Bank Virtual Keyboard (is useless)

[Andre Ludwig <andre.ludwig () gmail com>]

here is an old email i sent out to the OWASP Washington list a while
back that discusses a similar system.

Disclaimer, this is overly complex, and horribly insecure, but it was
fun none the less.  What it does is basically you create an expression
that is compared against a value that is stored.  If the expression
returns back "true" then you allow access.  Horrible huh.. Anyways
thought  i would share the idea since everyone is blabbing about
virtual keyboards and the such, maybe you guys could build upon, take
apart, the stupid idea i had a while back.

That being said i give you the email in all its glory..

[quoted text]
A pretty slick little scheme I saw on a brasilian bank was as follows. 

> From what I could tell it did the following. (I didn't look at the
source code and was just watching someone use the site)


When a user logged into his bank account via the website they were
redirected to a ssl "secured" server.   Then they were prompted for a
means to authenticate there account information (bank number, and
account number).  They were then brought to a page that asked them for
a password. Once that was submitted they were brought to a page that
required them to enter in a pin. Here was the cool part,  there wasn't
the full 10 key pin pad, it was 4 or 5 little boxes that allowed for
1-3 4-5 6-7 8 9-0, you then typed in the pin number that had been
assigned to you.  Every single time the values of the boxes would
change, and their placement would change as well.  So the next time
the user logged in it would be 4-6 1-2 3 9-0 7-8, and so forth.   They
could have been basing the placement and spread of the numbers on the
pin pad by computing a hash based on ip address, timestamp, browser
type.

For instance take that information and hash it
(e756dfe6dbd620d0edd5697140fa2747)  and drop the last 2 digits to
create a 30 char long string.

E756dfe6dbd620d0edd5697140fa27

Then cut the string up into portions of 6 char (one segment for each
keypad, meaning 6 characters per string now).

E756df  e6dbd6  20d0ed  d56971  40fa27

Take that chunk of numbers hash them. and letters and add them up
(letters could have aprox value, a=1 b=2 c=3, etc, 0 would equal 10). 
Then compare the values to a "framework" that decides if a value falls
in-between x-y then it will inherit the value associated to it.

1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193
2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c    
3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce    
4th place holder = d56971 = 757783bc51a49035b2624d7c73763140    
5th place holder = 40fa27 = 47a4840a8594557e37a6213f122711a2

So now we have 5 values, we then sum each of these values (letters
could = their aprox placement,  or you could get jiggy wit it and
create some custom based value system for alphas) and compare it to a
"value matrix" to decide what numbers would be displayed for what
keypad, and what the placement of those keypads would be.

1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 = 129 
2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c = 159 
3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce = 173 
4th place holder = d56971 = 757783bc51a49035b2624d7c73763140 = 151
5th place holder = 40fa27 = 47a4840a8594557e37a6213f122711a2 = 143

We could then take those values and add the single numbers together to
get a sum for each value.

1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 = 129 = (1+2+9) 12
2nd place holder = e6dbd6 = a002da7baf9398f6eda9bdeca9893a8c = 159 = (1+5+9) 15
3rd place holder = 20d0ed = 76b00ebe69c07c670712812cf8d5adce = 173 = (1+7+3) 11 
4th place holder = d56971 = 757783bc51a49035b2624d7c73763140 = 151 = (1+5+1) 7 
5th place holder = 40fa27 = 47a4840a8594557e37a6213f122711a2 = 143 = (1+4+3) 8


Now since we have already gotten it down to single chars we will use
the last two places for the numbers 7 and 8.  That still leaves the
first three places open.

X X X 7 8 (is what would be displayed at this point)

1st place holder = E756df = 1255ff6b5199816b7c0abbbaa36ac193 = 129 =
(1+2+9) 12 2nd place holder = e6dbd6 =
a002da7baf9398f6eda9bdeca9893a8c = 159 = (1+5+9) 15 3rd place holder =
20d0ed = 76b00ebe69c07c670712812cf8d5adce = 173 = (1+7+3) 11

So we now know that the following ranges need to be represented (since
we have all ready added 7 and 8 to the "pin pad" that is displayed to
the user)

1-6 9-0

Since the second range of numbers (9-0) contains no more then 2
numbers we have no need to break it out into smaller ranges.  We can
then assign that range of numbers to the place holder that has the
highest (or lowest) value. (I picked highest so 9-0 will be assigned
to the 2nd place holder)

So the pin pad would now look like. 

X 9-0 X 7 8 

So now we just have to break out that last range into a range of
numbers and assign the placement for those numbers.

Since there is 6 numbers involved and 2 places left we can figure out
with a simple division function how large the range of numbers has to
be.  (2 ranges of 3 numbers)

So we now have two ranges 1-3 4-6. 

We simply assign them the first to the place that has the highest
value, and the last one goes to what is left.

So we now have a pin pad that looks as follows. 

1-3 9-0 4-6 7 8

Now based on the input of the user we can build a regular expression
to compare the pin(now a regular expression) that was entered via the
pin pad with the real one.  With never having to actually compare the
real pins.  As we can see if the regular expression matches the
criteria of the one in the database.

IE

If the pin was  9821  the placeholders that should have been struck would be.

2nd place
5th place
1st place
1st place   

Since we know the RANGE of these values and not the actual pin we have
a layer of security.  Granted its not perfect (we could make it
stronger by not allowing any single digits to be displayed, and using
a 4 place holder system, or even adding alphas to it as well) as
portion of the pin are revealed.

Blah anyways I don't have nuff time to finish off this flight of
fancy,  maybe some of you guys could throw some ideas my way on it. 
Just sort of came to me while musing how said website did their
authentication.  Granted I don't think it is anywhere near as complex
as what I have here but who knows.   And as another disclaimer, I
added the values for those hashes in my heads so they are prob
completely borked.

Pinky da Brain
[/quoted text]


Anyone get that? haha WAY TO COMPLEX, and after re reading it i could
see how you could add another layer of security by not storing the pin
value but rather a "notion" of what that value "could" be.  Not that
doing that would be very effective as you would still have a small
"search space" for the real value if that was to be compromised, but
coupled with a proper fraud detection program that could be enough
room to allow you to be alerted before an actual compromise. 
(assuming you can build such a system into the system using such a
system.. haha)

Anyways tear it up guys, im curious to see what you guys think of my
dumbass idearz...

Dre



On 8/15/05, Cory Foy <Cory.Foy () mobilehwy com> wrote:
> mike () securityfocus com wrote:
> > I have been to the citibank.co.in site and it is clear that even though
> > the virtual keyboard is dynamic, it still places characters into a form
> > field. Keyloggers can easily read this and all other fields on the form
> > as plain text.
>
> I'm curious - did you mean software or hardware keyloggers? If software,
> then I think it would be a reasonable protection for certain instances.
> For example, let's assume that you have an internet cafe who has a way
> to reload the OS image everytime a user logs off. I assume this would
> prevent software keyloggers from staying resident (if not, please say
> otherwise - I spend much more time in code than in security tools). So,
> with this big assumption, your only worry as a user is a hardware
> keylogger.
>
> It would seem that if an admin can stop unauthorized software from being
> installed (and one can prevent their box from being own3d) then this is
> a reasonable level of security. Is it a pancea? No, I don't think so,
> any more than a firewall isn't going to help if the attack is coming
> from one of your admins. Phsyical security is number 1, and if you can
> assume that, then this solution doesn't seem so bad.
>
> Cory