Defeating Image Based Virtual Keyboards and Phishing Banks

Recently, I stumbled upon which nicely showed how a Trojan horse can, utilizing a key stroke capture and screenshot capture, grab a userís PIN, fairly easily, and wondered why are they taking this approach when the PINs can be easily retrieved by sniffing the data sent by the user to the banking site, even though they are "encrypted".

Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing Trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these Trojan horses. The bad guys adapted to this technology and escalated. Now the Trojan horses take screenshots of where the mouse pointer is to determine what number they clicked on. Thing is, it is often unnecessary as in most implementations of this technique that we looked into (meaning, not all) it was flawed. SecuriTeam Blogs Ľ Defeating Image-Based Virtual Keyboards and Phishing Banks

Linked by shanmuga Monday, 27th November 2006 11:12PM