Defeating Virtual Keyboards and Phishing Banks

Posted by Zonk on Sunday November 26, 2006 @05:46PM from the sounds-like-a-full-night dept.

An anonymous reader writes "Noam Rathaus writes on the SecuriTeam Blogs how most Image Click-Me virtual keyboards schemes used by banks to fight phishing trojan horses can be easily broken, even (and especially) when encryption is used. He then discusses how screenshots of the pointer location are over-kill, and describes how to kick these security measures out of the way." From the article: "Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered"

3 of 135 comments (clear)

Min score:

Reason:

Sort:

Meanwhile, back in the old west... by werewolf1031 · 2006-11-26 18:12 · Score: 2, Funny

this already posses a security problem
Round 'em up, boys! We gonna lynch us some bank robbers!
Cut them off at the pass by SEWilco · 2006-11-26 18:56 · Score: 2, Funny

posses a security problem
It depends upon your posse whether one or several of them are a problem.
Re:Yeah, and? by shigelojoe · 2006-11-26 20:01 · Score: 2, Funny

if you've got a trojan on your computer you're going to be fucked

I'll take "Things a computer has in common with a penis" for $1000, Alex.