|
|
BugTraq
Defeating Citi-Bank Virtual Keyboard Protection Aug 05 2005 07:55PM Debasis Mohanty (debasis hackingspirits com) (3 replies) Re: [DCC SPAM] Defeating Citi-Bank Virtual Keyboard Protection Aug 08 2005 06:25AM Secure Science Corporation Bugtraq (bugtraq securescience net) |
|
Privacy Statement |
The data posted to the webserver is the same as the content on the
IPIN field (there is no such a encoding or another thing to mask what
was typed). A more secure example of a virtual keyboard can be found
at:
https://www2.bancobrasil.com.br/aapf/aai/login.pbk
On this form, the "virtual keyboard" is a java applet that can receive
a variable ammount of digits, and when a POST is requested, the typed
data is encoded by someway... So, a PIN like "123456" is sent as
"EISYWb", as we can see at "senhaConta":
POST /aapf/aai/login.pbk HTTP/1.1
Host: www2.bancobrasil.com.br
Content-Type: application/x-www-form-urlencoded
Content-Length: 169
titular=01&numeroContratoOrigem=431231&dependenciaOrigem=3123123123&senh
aConta=EISYWb&botaoOk.x=&numCod=2&valorContr=4&botaoEntra.x=20&botaoEntr
a.y=8&paginaComErro=false
And after that, if we post the same PIN, we're gonna get something
different like "EIQTUe", which means that neither looking at the HTML
source code, look for field values, hook the keyboard of trap the data
that is being posted will work in that case. It's not a 100% safe
method, but is safer than the Indian CitiBank virtual keyboard.
--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
[ reply ]