Hacking Citibank's Virtual Keyboard

May 12, 2007

A researcher points out that malware can just as easily capture mouse-clicked PINs as those entered at the keyboard.

In some countries outside of the US, Citibank has a login option to enter your PIN by clicking on the display of a keyboard rather than with the physical keyboard.

Perhaps the idea is to defeat keyloggers, but a researcher has demonstrated that it's easy for malware to capture the PIN anyway.

The technique, posted on the popular Bugtraq mailing list, generated some scorn from readers (not an unusual result on Bugtraq). The two main complaints, both true, are that a) the attack presumes that malware has already been installed on the system; and b) this is an old technique - consider this almost identical thread on Bugtraq from 2005.

The technique, which has been used in some malware for years, is to take a screen shot when the mouse is clicked, noting the coordinates of the click. It's true that to execute this attack, the attacker needs to have the program installed on the system already, a formidable barrier to entry, but not when you consider the point of the virtual keyboard: an attacker would only put a user through this if he/she suspected they may already have a keylogger on their system. The feature is designed for already-infected systems.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Privacy groups take 2nd hit on license plate data

add to favorites email to friend print save as pdf

Related Stories

Recommended for you

Privacy groups take 2nd hit on license plate data

Sep 19, 2014

A California judge's ruling against a tech entrepreneur seeking access to records kept secret in government databases detailing the comings and goings of millions of cars in the San Diego area via license plate scans was ...

Scots' inventions are fuel for independence debate

Sep 17, 2014

What has Scotland ever done for us? Plenty, it turns out. The land that gave the world haggis and tartan has produced so much more, from golf and television to Dolly the Sheep and "Grand Theft Auto."

White House backs use of body cameras by police

Sep 16, 2014

Requiring police officers to wear body cameras is one potential solution for bridging deep mistrust between law enforcement and the public, the White House said, weighing in on a national debate sparked by the shooting of ...

Chinese city creates cellphone sidewalk lane

Sep 15, 2014

Taking a cue from an American TV program, the Chinese city of Chongqing has created a smartphone sidewalk lane, offering a path for those too engrossed in messaging and tweeting to watch where they're going.

Coroner: Bitcoin exchange CEO committed suicide

Sep 15, 2014

A Singapore Coroner's Court has found that the American CEO of a virtual currency exchange committed suicide earlier this year in Singapore because of work and personal issues.

User comments : 0