Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defeating Virtual Keyboards and Phishing Banks

Posted by Zonk on from the sounds-like-a-full-night dept.

An anonymous reader writes "Noam Rathaus writes on the SecuriTeam Blogs how most Image Click-Me virtual keyboards schemes used by banks to fight phishing trojan horses can be easily broken, even (and especially) when encryption is used. He then discusses how screenshots of the pointer location are over-kill, and describes how to kick these security measures out of the way." From the article: "Instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the PIN number in cleartext, while others encrypt them, one such example is cajamurcia. Even when the encryption is used, banks tend to implement it badly making it easy to recover the PIN number from the encrypted form. I investigated a bit more on how cajamurcia handles such PIN strokes (with virtual keyboards) and I noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you - this already posses a security problem - and this timestamp is then used to encrypt the PIN number you entered"

1 of 135 comments (clear)

  1. Keyring Dongle by bonhomme_de_neige · · Score: 5, Interesting

    HSBC in Australia and SE Asia (and, it seems, with a bit of Googling, elsewhere in the world) issue with online banking accounts a device that sits on your keyring that generates a 6 digit number when the button on it is pressed, and displays that on a small screen. The number is different every time.

    When you log in or do any transaction, you are required to enter this number (along with any other credentials which are appropriate). The bank records the serial number of the dongle they gave you, and I would assume that there is some secret mathematical algorithm that allows them, knowing the serial number and the time, to calculate what number your device will display.

    If you make 3 mistakes in a row with the 6 digit code, your internet banking account is automatically locked down, and you have to contact them to unlock it.

    Now, that's a very simple trick and I can't see how a hacker / phisher would get around it. Sure they can sniff the code when I log in, but 30 seconds later it will be useless. Short of mugging me for the device on my keys (after having phished my regular login/password), they can't get in to my account. Even if I leave a session logged in and walk away, and someone else sits down at the terminal, they can look at my balance and transaction history, but can't make any transactions.

    Having used the device for a year I have to say it is remarkably convenient, and it seems immune to most of the attacks described here, and doesn't have the convenience drawbacks of one-time PIN cards. Why is HSBC still the only bank doing this?

    More info on the device: http://om.hsbc.com.au/osd/

    --
    "Why are you watching the washing machine?"
    "I love entertainment, as long as it's clean"