Defeating Citibank Virtual Keyboard protection using screenshot method
By Yash K.S <yashks@gmail.com>
http://www.tracingbug.com
Disclaimer:
Author takes no responsibilities for any actions with provided information’s or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement.
Original URL: http://www.tracingbug.com/index.php/articles/view/23.html
Description:
Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it.
Note:
My intension is to help people to try out the POC and understand themself (offcourse, if you can code yourself one, Please, do it)
Platforms Affected:
Microsoft Corporation: Windows 98 Any version
Microsoft Corporation: Windows Me Any version
Microsoft Corporation: Windows XP Any version
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0 Any version
Citi-Bank: Citi-Bank Virtual Keyboard Any version
Browsers:
Microsoft Internet Explorer Any version
Mozilla FireFox Any version
Any browser runs on Win32 platform( with slight modification )
References:
CitiBank Web site - http://www.citibank.com/us
Step by Step Demo(People who likes to check POC can do so, it does not have any malware):
§ Download POC from http://tracingbug.com/downloads/citihook.zip and unzip to some directory
§ Launch citihook.exe, this will watch only https://www.online.citibank.co.in/ URL
§ Visit https://www.online.citibank.co.in/
§ In Right side of the screen in “Login to Citibank online” click “Go” button
§ You will land in following screen for typing card number and IPIN
§ Any click happens on above screen will be captured by the citihook module. All the screen shot will be placed in directory c:\citilogon and you can read the bitmaps one by one and you can construct the password manually. To determine the order of the keys you can check the filenames. In following screen shot you can see user has entered “YASHKS”
§ Local attacker can make sure he can send this file to remote location for doing further damage. This can be done easily since file size is less. Attacker can do lot of optimization based on this method.
( Source http://www.tracingbug.com/index.php/articles/view/23.html)
By Yash K.S <yashks@gmail.com>
http://www.tracingbug.com
Disclaimer:
Author takes no responsibilities for any actions with provided information’s or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement.
Original URL: http://www.tracingbug.com/index.php/articles/view/23.html
Description:
Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it.
Note:
My intension is to help people to try out the POC and understand themself (offcourse, if you can code yourself one, Please, do it)
Platforms Affected:
Microsoft Corporation: Windows 98 Any version
Microsoft Corporation: Windows Me Any version
Microsoft Corporation: Windows XP Any version
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0 Any version
Citi-Bank: Citi-Bank Virtual Keyboard Any version
Browsers:
Microsoft Internet Explorer Any version
Mozilla FireFox Any version
Any browser runs on Win32 platform( with slight modification )
References:
CitiBank Web site - http://www.citibank.com/us
Step by Step Demo(People who likes to check POC can do so, it does not have any malware):
§ Download POC from http://tracingbug.com/downloads/citihook.zip and unzip to some directory
§ Launch citihook.exe, this will watch only https://www.online.citibank.co.in/ URL
§ Visit https://www.online.citibank.co.in/
§ In Right side of the screen in “Login to Citibank online” click “Go” button
§ You will land in following screen for typing card number and IPIN
§ Any click happens on above screen will be captured by the citihook module. All the screen shot will be placed in directory c:\citilogon and you can read the bitmaps one by one and you can construct the password manually. To determine the order of the keys you can check the filenames. In following screen shot you can see user has entered “YASHKS”
§ Local attacker can make sure he can send this file to remote location for doing further damage. This can be done easily since file size is less. Attacker can do lot of optimization based on this method.
( Source http://www.tracingbug.com/index.php/articles/view/23.html)
Comments