Re: Defeating Citibank Virtual Keyboard protection using screens
Aditya,
On 5/18/07, aditya kuppa <aditya1010@gmail.com> wrote:
> How about this Trojan ;)
> http://www.hispasec.com/laboratorio/troyano_video_en.htm
> looks great method to get the Password if the inputs are
> scrambled,rotated randomly after each entry etc.
> Combination of trojan like this +a simple keylogger +a MITM can defeat
> all possible authentication mechanism Multi Factor,channel
> authentications like OTP,SMS based logging etc
Cute trojan, however, it cannot defeat an out of band challenge such
as SMS, unless it's not properly implemented or the attacker has under
control much more (in which case he doesn't really need to defeat this
at all).
The idea of the out of band challenge is that the user (the victim)
will receive an SMS message which will state exactly what's happening,
together with the authorization code. The code has to be unique and
the bank has to calculate the code depending on the transaction and
some secret (an MD5 hash would be enough).
An example of such an SMS message would be:
"You are about to transfer $100 to account number 12345678. Your
authorization code is: 9876543".
Now, the user has to enter this on the bank web site to complete the
transaction. If he doesn't do it in a certain time interval the
transaction is denied. If the authorization code is not correct, the
transaction is denied.
If the attacker changes anything through the MiTM, the user will see
it in the SMS message. If the attacker captures user's login
credentials and try to do this later (when the user is offline), the
user would receive the SMS message (which would hopefully alert him)
and the attacker would have to guess the authorization code to
complete the transaction (the bank can implement a lockout, for
example, if 3 incorrect authorization codes have been entered).
As you can see, this defeats all attacks. The attacker would have to
hack the SMS gateway/Telco in order to modify SMS messages sent which
is almost impossible or impractical.
Cheers,
Bojan
討論串 (同標題文章)
完整討論串 (本文為第 14 之 14 篇):