Hacking Citibank's Virtual Keyboard

May 12, 2007

A researcher points out that malware can just as easily capture mouse-clicked PINs as those entered at the keyboard.

In some countries outside of the US, Citibank has a login option to enter your PIN by clicking on the display of a keyboard rather than with the physical keyboard.

Perhaps the idea is to defeat keyloggers, but a researcher has demonstrated that it's easy for malware to capture the PIN anyway.

The technique, posted on the popular Bugtraq mailing list, generated some scorn from readers (not an unusual result on Bugtraq). The two main complaints, both true, are that a) the attack presumes that malware has already been installed on the system; and b) this is an old technique - consider this almost identical thread on Bugtraq from 2005.

The technique, which has been used in some malware for years, is to take a screen shot when the mouse is clicked, noting the coordinates of the click. It's true that to execute this attack, the attacker needs to have the program installed on the system already, a formidable barrier to entry, but not when you consider the point of the virtual keyboard: an attacker would only put a user through this if he/she suspected they may already have a keylogger on their system. The feature is designed for already-infected systems.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Aircraft set for minute-by-minute tracking

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

Aircraft set for minute-by-minute tracking

12 hours ago

All commercial flights worldwide could soon send out an automated signal every minute in times of distress to help rescuers find downed aircraft more easily.

2011 vehicle models with highest and lowest death rates

Jan 29, 2015

The Insurance Institute for Highway safety examined fatalities involving 2011 model year vehicles, looking at how many driver fatalities occurred in a particular model over the course of a year of operation, expressed as ...

Obama sees need to move on drone rules now (Update)

Jan 27, 2015

President Barack Obama says the wayward quadcopter that crashed on the White House grounds—flown by an off-duty intelligence employee—shows that the U.S. must take steps to ensure commercial and consumer ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.