On Sat, 6 Aug 2005, Debasis Mohanty wrote: > Recently I discovered a method to defeat the much hyped Citi-Bank > Virtual Keyboard Protection which the bank claimed that it defends the > customers against malicious programs like keyloggers, Trojans and > spywares etc.
Wouldn't that be trivial to snoop on simply by making a trojan / spyware application that records a section of screen in the immediate proximity of mouse cursor on every mouse click? It's not that resource consuming, and easy to arrange. Probably no programs do that routinely today, of course. My point is, although I have no practical experience with Citibank's offering, I see nothing that was meant to be secure about it - they just bank (no pun intended) on the fact one would need to target their logon mechanism specifically, and that generic keyloggers indeed fail to capture this traffic. This is pretty good. > Criticality: High Huh? /mz http://lcamtuf.coredump.cx/silence/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
