WebApp Sec: Re: Defeating Citi-Bank Virtual Keyboard Protection

[intel96 <intel96 () bellsouth net>]

To All,

Screen capture programs could obtain the account information, but this 
would require the application to capture the information in a video 
format.  The problem with this technique is that it eats up a lot of 
hard drive space.  If a screen capture could be programmed to run in 
video format only when the Citi-Bank page is being display than it would 
reduce the hard drive space.   Currently I do not know of any program 
that has this capabilities (it would be on my wish list - since I uses 
these applications everyday.)  The problem here is that other banks 
would be missed, unless the screen capture program allowed special 
programming to look for signs of this virtual keyboard on other sites.
I tested several key loggers against this site and could not get the 
password.  I also tested a program that is designed to use low-level 
hooks to obtain password that had been masked.  This program obtained 
the password as soon as I placed in over the box containing the masked 
characters.
Another problem is that the bank is using Java-Script for the keyboard 
and the code can be view locally.  This is useful in determining if the 
right page is being displayed before screen capture starts.  Line 4  was 
the only one that rotated when I refreshed the page.  Since this is the 
only line it would be possible to capture the mouse position on the page 
when the mouse-down event occurs, thus obtaining the value at that time.
My problem with this keyboard is that this is a LARGE BANK with a lot of 
good developers, which should have created a better keyboard.  I am 
using a virtual keyboard that I wrote (C#) and so far I have not found 
any key loggers or spy tools that can capture the passwords (unless this 
new screen program comes out).
Thanks,

Intel96