Full Disclosure mailing list archives
Re: Defeating Citi-Bank Virtual Keyboard Protection
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 5 Aug 2005 22:10:29 +0200 (CEST)
On Sat, 6 Aug 2005, Debasis Mohanty wrote:
Recently I discovered a method to defeat the much hyped Citi-Bank Virtual Keyboard Protection which the bank claimed that it defends the customers against malicious programs like keyloggers, Trojans and spywares etc.
Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to arrange. Probably no programs do that routinely today, of course. My point is, although I have no practical experience with Citibank's offering, I see nothing that was meant to be secure about it - they just bank (no pun intended) on the fact one would need to target their logon mechanism specifically, and that generic keyloggers indeed fail to capture this traffic. This is pretty good.
Criticality: High
Huh? /mz http://lcamtuf.coredump.cx/silence/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Jeremy Bishop (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection fractalg (Aug 05)
- <Possible follow-ups>
- Re: Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
(Thread continues...)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)