On Friday 05 August 2005 13:10, Michal Zalewski wrote: > Wouldn't that be trivial to snoop on simply by making a trojan / > spyware application that records a section of screen in the immediate > proximity of mouse cursor on every mouse click? It's not that > resource consuming, and easy to arrange.
You'd need to squeeze in some OCR code as well, or figure it out manually (or maybe use the same techniques as for getting around "captchas"). > Probably no programs do that routinely today, of course. My point is, > although I have no practical experience with Citibank's offering, I > see nothing that was meant to be secure about it - they just bank (no > pun intended) on the fact one would need to target their logon > mechanism specifically, and that generic keyloggers indeed fail to > capture this traffic. This is pretty good. Correct, it may be generally safe for a short while. However, once a critical mass of institutions implement such schemes it is likely that keyloggers would move in a direction similar to Internet Explorer BHOs, by intercepting the page information after it's entered and before it's wrapped by SSL. (Actually, this may already be the preferred technique for some spy software.) While the original poster's technique may be a first attempt at directly circumventing virtual keyboards, a Google search turns up examples of the same or similar techniques as an improvement on traditional keylogging methods. It doesn't directly target virtual keyboards so much as it simply ignores them. Example: http://www.codeguru.com/Cpp/W-P/system/security/article.php/c5761 -- My other computer is your Windows machine. -- sig _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
