Hacker demos how to defeat Citibank's virtual keyboard

Hacker demos how to defeat Citibank's virtual keyboard

Summary: A security researcher in India is warning that Citibank's new virtual keyboard anti-phishing mechanism can be easily defeated.

TOPICS: Security

 Citibank virtual keyboard
A security researcher in India is warning that Citibank's new virtual keyboard anti-phishing mechanism can be easily defeated.

The feature, which is offered to some international customers (it's not available in the U.S.) lets Citibank customers launch an onscreen keyboard to enter passwords. 
The intent is to thwart the use keystroke loggers to hijack login credentials but, according to an advisory from a hacker known as Yash K.S., local attackers can circumvent the system to grab screenshots of sensitive user credentials.
He provided a proof-of-concept demo to show how a local attacker can use Win32 APIs to capture screenshots of usernames, passwords, credit card numbers, pin numbers and any other mouse clicks into the virtual keyboard.
In the example, the researcher showed how an executable placed on the victim's machine can be used to grab the screenshots and place them into a hidden directory.  A call-home bot can then be used to transmit the virtual keystrokes from the hijacked machine to a remote server controlled by the attacker. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is it software?

    It can be hacked.
    • Exactly. One doesn't need to be from India to figure it out.

  • Wouldn't you notice

    Wouldn't you begin to wonder why your hard drive kept getting eating up with screen print size images every time you clicked a mouse? However, I think the research is right, once your system is owned, it's owned. The security genius behind this feature needs a refresher how computer security works. Or maybe it's just for the customer piece of mind, kind of like selling a magic rock that keeps away polar bears. Sounds great, works most of the time...unless you live near polar bears.
    • Not if you can delete as well...

      No reason you couldn't set the bot up to delete the files as well after they've been transmitted.

      Like you said once your computer is owned ... its owned ;)
  • If you have a keylogger on your system, it's already too late

    If you already have malicious software on your computer like a keylogger, you've already lost the war. Hackers already have access to your system, and pretty much everything you're doing now is damage control. If you've got keyboard loggers on you're system, it's time to reformat the harddrive and break out your backups.
  • Why is this news?

    If you system is compromised to the point where the attacker has the ability to run any desired software on your system, I really doubt that any security measure can be designed to reliably cope with that. In this case, the virtual keyboard can defeat a primitive keylogger, but it's unfair to expect it to be able to deal with the scenario where the attacker can see everything that's going on at the user's keyboard, mouse, and display.
  • Good, I have virtual keyboards

    I used to work with a bank that use these. I hated them.

    The login was your debit card number, a public, long, impossible to remember number, and your password was your four digits pin, a short ridiculously insecure password.

    So they wanted me to type this unwieldy number using their "virtual keyboard". To add insult to the injury, they would not show the numbers typed (neither the PIN nor the card number). This would make it very easy to mistype the debit card number.

    A note to the brilliant guys who came up with these virtual keyboards. Do you know why, since the beginning of computers, passwords are not shown when typed? That's to avoid people looking over your shoulder to figure out your password. With virtual keyboards, this simple protection is gone.

    An of course they can be cracked, they have been for years.
  • Fix up the first line of defense first.

    This is exactly why I don't consider Microsoft's reduced privilege IE an indication that Microsoft is taking security seriously.

    Until they quit thinking that it's possible to use security zones in any guise... even the diluted version that .NET supports, let alone the full blown "infect me harder, mister virus" descendants of "Active Desktop"... why should anyone take them seriously. Buffer overflows are bad enough, actually creating a formal mechanism for the attacker to request a hole in the sandbox?

    You have to put up every barrier you can at the application level. Having another sandbox outside that if the attacker penetrates the first line of defense is good, but having a trap door in the sandbox is inexcusable.
    • This has nothing to do with the article

      How does IE have anything to do with this hack? This is a screen capture (virus) application that piggybacks on the mouse click event. It could work on any computer and any browser.
    • This hack would work with any ...

      ...software. Even if you were browsing the net with a DOS program and FTP'ing every website. Get over it already, this has NOTHING to do with MS. In fact, this same "technology flaw" that is being described could be applied to just about every OS. Any OS that runs programs and displays on a screen is susceptible to this hack (yup, that includes the old ATARI 2600!).
  • what about other technologies used

    Can author throw some light on other technologies used by other banks; Such as asking random characters from pin and password, RSA token or digital certificates?
  • it's a step in the right direction,...

    I think Citi are moving in the right direction. I'm aware of screen-scraper technologies, but these are more sophisticated and more complex to perpetrate than the more common and mature keystroker logger (software and hardware based). From a purist perspective, this approach this does not 'solve' the data capture problem. But no one can deny it mitigates one of the two threat vectors. As for 'shoulder surfing', I say the additional risk is negligible and does not out weigh the benefits of thwarting keystroker loggers. Anyway, one has to be right behind the person using the screen to see the many mouse moves and clicks.
  • RE: Hacker demos how to defeat Citibank's virtual keyboard

    Now, Citibank is using anti-screen capture technology. WIn32 API can't capture the screen anymore.