>> Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen >> in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to >> arrange.
Read the description section again, perhaps you have missed out the following - . The Virtual Keyboard is dynamic . The sequence in which the numbers appears will change every time, the page is refreshed Hence, desiging something the way that you have proposed is not going to workout here. Infact, that was the first thing any malicious program writer will think of. >> My point is, although I have no practical experience with Citibank's offering, I see nothing that was meant to be >> secure about it - they just bank (no pun intended) on the fact one would need to target their logon mechanism >> specifically, and that generic keyloggers indeed fail to capture this traffic. I agread with the point that there is nothing much to they can do here to secure it but however claiming that their protection is foolproof against spywares is something I believe is vague. - DM - -----Original Message----- From: Michal Zalewski [mailto:[EMAIL PROTECTED] Sent: Saturday, August 06, 2005 1:40 AM To: Debasis Mohanty Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection On Sat, 6 Aug 2005, Debasis Mohanty wrote: > Recently I discovered a method to defeat the much hyped Citi-Bank > Virtual Keyboard Protection which the bank claimed that it defends the > customers against malicious programs like keyloggers, Trojans and > spywares etc. Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to arrange. Probably no programs do that routinely today, of course. My point is, although I have no practical experience with Citibank's offering, I see nothing that was meant to be secure about it - they just bank (no pun intended) on the fact one would need to target their logon mechanism specifically, and that generic keyloggers indeed fail to capture this traffic. This is pretty good. > Criticality: High Huh? /mz http://lcamtuf.coredump.cx/silence/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/