Re: Defeating Citibank Virtual Keyboard protection using screenshot method
On 5/11/07, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote:
Sure, they're a lot more expensive and a lot more "high-tech" but
unless they are doing end-to-end client and server authentication and
strong crypto _AND_ have their own input and output devices that cannot
be interfaced from the host OS _AND_ are required for verifying
(virtually) every step of every transaction (in other words -- if you
have any of the real-world implementations of banking OTP cards used
anywhere in the world, the answer is "no"), they are effectively no
better than the Citi OSK's as they are trivially MiTM'ed via on-client
malware.
This actually isn't that hard to do properly and I already see some
banks doing it.
The key here is to tell the user what's going on an off the band method.
In other words, once a user decided to make a transaction, the bank
sends a challenge *and* transaction details *somehow* to him. The user
has to confirm the transaction by entering the proper challenge.
The "somehow" method can vary, but it looks that sending SMS messages
is hte most acceptable method today.
So, the user gets an SMS message with the challenge code and the
transaction details and enters that into his web browser. The attacker
behind his MiTM can't do anything - if he changes the transaction
before, the user will (hopefully) see it. If he changes the challenge,
the transaction will fail.
Cheers,
Bojan