Over 8 years old (mid 1997/8) - http://www.dotsec.com/onBank.html?topic=302544
Lyal -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Debasis Mohanty Sent: Tuesday, 28 November 2006 6:12 PM To: 'Gadi Evron'; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Defeating Image-Based Virtual KeyboardsandPhishing Banks (fwd) More than a year Old (3rd August, 2005) - Defeating CITI-BANK Virtual Keyboard Protection http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0142.html http://hackingspirits.com/vuln-rnd/Defeat-CitiBank-VK.zip http://xforce.iss.net/xforce/xfdb/21727 Regards, -d -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Sunday, November 26, 2006 12:18 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Defeating Image-Based Virtual Keyboards andPhishing Banks (fwd) Copied from a post by Noam Rathaus on the SecuriTeam Blogs, following up a post by HispaSec. This is about breaking virtual keyboards implementations, and the encryption some of them use (most of them send the data in clear text with the image). HispaSec was a reference by which we found the banks' site as one using a virtual keyboard. http://blogs.securiteam.com/index.php/archives/678 http://hispasec.com/laboratorio/cajamurcia_en.htm Gadi. Quoting: Recently, I stumbled upon a post by HispaSec showing off a screen shot trojan (http://hispasec.com/laboratorio/cajamurcia_en.htm) which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user's PIN number, fairly easily, and wondered why are they taking this approach when the PIN numbers can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are "encrypted". Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. The bad guys adapted to this technology and escalated. Now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed. Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered. This would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). Anyhow, as it is sent back to the server, we have everything we need to decrypt the data (PIN number). PoC: A request to the server would look like: OPERACION=0002& CAJA=2043& CAMINO=2043& PGDESTI=CORP& BROKER=SI& VRS=001& PAN=2043123456& SELLO=1610061555560000012569& CL=1161006956& PINV3=si& PANA=2043& PANB=123456& PIN=BBCB6E341C56C6B2& IDIOMA=01 We are only interested in PIN=BBCB6E341C56C6B2 and CL=1161006956, CL being the timestamp and PIN being the encrypted form of the PIN number. If we feed these into the following JS code: https://intelvia.cajamurcia.es/2043/01/scripts/MOD.js function hexToString (h) { var r = ""; for (var i= (h.substr(0, 2)=="0x")?2:0; i lowerthan h.length; i+=2) { r += String.fromCharCode (parseInt (h.substr (i, 2), 16)); } return r; } calcula = '1161006956'; ciphertext = hexToString('0xBBCB6E341C56C6B2'); var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, "00000000"); console.debug(cleartext); We will get our original PIN number. This isn't necessarily easier as it requires data capture, which isn't always easy, but screen captures usually require either an OCR, or manual labor, which the above code does not. One needs to remember that Javascript (or any client-side code and information) is indeed on the client's side and under the client's control. An attacker can kick it aside, or learn to emulate it and attack it - manipulate it. Client-side encryption where the code and key are visible is pointless. No matter how much obfuscation or cross-frame and cross-file scripting is used, calling for different functions and parameters, nor how many functions you obfuscate your code through, it can be read and maniuplated. We made several email and phone attempts over the past couple of months to reach cajamurcia and report this security issue to them. Gadi Evron even asked a couple of folks in Spain to help with contacting them by phone, even speaking directly to security folks there. We were unsuccessful. The bank is already under attack by the over-kill screenshot trojan horses. We release this information in full disclosure in the hope many online commerce sites using similar techniques or even sending the information in the clear will fix their implementations of the virtual keyboard Click-Me Number-Images Schemes. These are broken by the use of the trojan horses we discussed, but that's a whole other story. Noam Rathaus _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/