Recently I discovered a method to defeat the much hyped Citi-Bank Virtual
Keyboard Protection which the bank claimed that it defends the customers
against malicious programs like keyloggers, Trojans and spywares etc. 

Find the details below -

Description: 
Early this year, Citi-Bank introduced the concept of Virtual Keyboard to
defend against malicious programs like keyloggers, Trojans and spywares etc.
The bank claimed that this concept would improve the security of those using
its Internet banking facilities. Various features of this Virtual Keyboard
are - 

.  The Virtual Keyboard is dynamic
.  The sequence in which the numbers appears will change every time,
the page is refreshed
.  The Virtual Keyboard protects you from malicious 'Spy Ware' and
'Trojan Programs' designed to capture your keystrokes
.  The Virtual Keyboard eliminates this risk and makes your Citibank
login that much safer and provides for a secure online banking experience

However, the Virtual Keyboard concept can be easily defeated by using Win32
APIs to access HTML documents. Refer the PoC (Proof of Concept) section for
more details. 

Criticality: High

Platform: Windows XP (SP2) + IE 6.0

Note: This PoC is applied only for Internet Explorer users

Proof of Concept: 
Here I shall demonstrate how easily the Virtual Keyboard can be defeated by
a simple program. I created a small program in VB 6.0 (called
CitiPassLogger.exe) which can record not only the 16-Digit credit card but
also the IPIN even if they are entered using the virtual keyboard.

Currently, this program has been developed to log only the IPIN details of
Citi-Bank India but the code can be modified to make it work universally for
all the Citi-Bank sites with Virtual Keyboard login. 

As per my knowledge, there are no such keyloggers or spywares which uses any
technique to defeat virtual keyboards. However, the technique that I am
going to discuss here can be used by malicious program writers to write next
generation viruses / worms to defeat such virtual keyboard protections.
Hence, I hope people who are using Virtual Keybords shouldn't stay very
over-confident. 

Download the complete PoC and the tool from the following link: 
http://www.hackingspirits.com/vuln-rnd/defeat-citibank-vk.zip

For more vulnerabilities, visit
http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html


History: 
3rd August, 2005: Vendor was contacted but no response till today. 


Cheers, 
Debasis Mohanty (a.k.a Tr0y)
www.hackingspirits.com