최근 한 연구자가 키보드에서 입력한 것처럼 마우스로 PIN 번호를 입력하는 값을 쉽게 가로채서 알아 낼 수 있는 악성코드가 있다고 지적했습니다.
시티 은행은, 미국을 제외한 일부 국가에서 키보드로 PIN번호를 입력하지 않고 키보드의 모양을 화면에 가상적으로 보여주고 마우스로 클릭하여 로그온하는 옵션을 제공하고 있습니다.
자세한 내용은 아래 자료를 참고하세요.
Hacking Citibank's Virtual Keyboard
A researcher points out that malware can just as easily capture mouse-clicked PINs as those entered at the keyboard.
In some countries outside of the US, Citibank has a login option to enter your PIN by clicking on the display of a keyboard rather than with the physical keyboard.
Perhaps the idea is to defeat keyloggers, but a researcher has demonstrated that it's easy for malware to capture the PIN anyway.
The technique, posted on the popular Bugtraq mailing list, generated some scorn from readers (not an unusual result on Bugtraq).
The two main complaints, both true, are that a) the attack presumes that malware has already been installed on the system;
and b) this is an old technique - consider this almost identical thread on Bugtraq from 2005.
The technique, which has been used in some malware for years, is to take a screen shot when the mouse is clicked, noting the coordinates of the click.
It's true that to execute this attack, the attacker needs to have the program installed on the system already, a formidable barrier to entry, but not when you consider the point of the virtual keyboard:
an attacker would only put a user through this if he/she suspected they may already have a keylogger on their system.
The feature is designed for already-infected systems.
In some countries outside of the US, Citibank has a login option to enter your PIN by clicking on the display of a keyboard rather than with the physical keyboard.
Perhaps the idea is to defeat keyloggers, but a researcher has demonstrated that it's easy for malware to capture the PIN anyway.
The technique, posted on the popular Bugtraq mailing list, generated some scorn from readers (not an unusual result on Bugtraq).
The two main complaints, both true, are that a) the attack presumes that malware has already been installed on the system;
and b) this is an old technique - consider this almost identical thread on Bugtraq from 2005.
The technique, which has been used in some malware for years, is to take a screen shot when the mouse is clicked, noting the coordinates of the click.
It's true that to execute this attack, the attacker needs to have the program installed on the system already, a formidable barrier to entry, but not when you consider the point of the virtual keyboard:
an attacker would only put a user through this if he/she suspected they may already have a keylogger on their system.
The feature is designed for already-infected systems.
