[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection

To: "'root'" <lyal.collins@xxxxxxxxxxxxx>, "'Peter Ferrie'" <pferrie@xxxxxxxxxxxx>
Subject: RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
From: "Debasis Mohanty" <mail@xxxxxxxxxxxxxxxxxx>
Date: Sat, 6 Aug 2005 04:05:30 +0530

Sweet and Simple - This is how this program works. 

A brief on the algo~m is given below - 

Step1: Enumerate all the IE windows and look for the one with CitiBank Login
screen (This step is invoked when an IE is opened and a partucular URL is
requested)

Step2: If found then Create a HTML object

Step3: Set the objEliment to 46 (For Credit Card No) and 61 (for IPIN) [Thes
numbers are specific to CitiIndia Login page]   Note: However, this can be
modifed to work universally for Citi-UK and others

Step: Retrieve value from those elements 

End

That's all about the program logic. This runs very fast and hardly eats
memory ;)

Will possible update the source code sometime ... Keep watching !!

- DM -

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of root
Sent: Saturday, August 06, 2005 5:57 PM
To: Peter Ferrie
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard
Protection

Peter Ferrie wrote:

>
>
>  
>
>>>Recently I discovered a method to defeat the much hyped Citi-Bank 
>>>Virtual Keyboard Protection which the bank claimed that it defends 
>>>the customers against malicious programs like keyloggers, Trojans and 
>>>spywares etc.
>>>      
>>>
>>Wouldn't that be trivial to snoop on simply by making a trojan / 
>>spyware application that records a section of screen in the immediate 
>>proximity of mouse cursor on every mouse click? It's not that resource 
>>consuming, and easy to arrange.
>>    
>>
>
>Something similar was done by variants of the W32/Dumaru family last year.
>That was an attack against the e-Gold keypad.
>You can read about it here: http://pferrie.tripod.com/vb/dumaru.pdf
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>  
>
This has already done in 1997 in 'proof of concept' form to do the screen
capture process, when 2 Australian banks launched on-screen keypads.
I understand the demo took an image of around 10 pixel +- th mouse click
position.

Nothing terribly new, concept-wise.

Lyal
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
  - From: root

Prev by Date: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
Next by Date: RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
Previous by thread: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
Next by thread: RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
Index(es):
- Date
- Thread