A brief analysis of Web landing security for electronic payment platforms such as internet banking
Source: Internet
Author: User
KeywordsSecurity online Banking electronic payment platform Web landing
Preface: This article was written at the beginning of last year and was not released for security reasons. Now some online banks have significantly reduced the level of security without high level of the transfer limit, and advised users to use dynamic password card or USB Key, the overall safety factor has been improved. With the popularization of sub commerce, online Banking and online electronic payment are gradually accepted and loved by netizens. But the security of online banking and e-commerce payment platform is not optimistic. Although Internet banks take SSL encryption to prevent the interception of passwords by sniffing network packets; To prevent the web landing password is stolen, online banking to take a security control or dynamic soft keyboard method, but the consideration is still not comprehensive, we can take the appropriate way to intercept user input password. The following is a representative of the four major banks: industrial and Commercial Bank of China, ABC, Chinese construction Bank, Chinese Commercial Bank: Investment banking, electronic payment platform: Alibaba Alipay, etc. for example, the client password for the vulnerability analysis. Web Landing security of online banking and other e-commerce payment platform is directly related to the economic interests of users, so it is necessary to spare no effort to strengthen the construction of web landing security. In addition, because not all users use digital certificates and the U-Shield security certification products, so "hacker" as long as the user's login password and payment password can be arbitrary transfer/payment, the harm is great. This article is about the use of pure technology to intercept passwords, rather than false page false interface and other fishing methods to cheat the password. Online Banking to prevent password theft of the use of security controls and dynamic soft keyboard methods: 1, the adoption of security controls, the typical representatives are: ICBC, China Merchants Bank, Alibaba Alipay and other such security controls considered comprehensive, to prevent the keyboard/message hooks, And the way to get the password through the COM interface of IE is also powerless. But this type of security control is not done at the bottom and is not considered in depth. We use the keyboard filter drive method can break the security control protection record password. In addition to the keyboard filtering drive method, you can hook up the keyboard entry of the IDT (Interrupt descriptor Chart), or hook the keyboard driver dispatch routines and the inline hook corresponding IRP distribution function. Of course, even more in-depth words can be linked to I8042prt.sys. However, because the writing driver is different and the development of ordinary applications, more difficult, so there is no public use this technology to intercept these online bank password Trojan. However, it is not too difficult to develop, and the method of keyboard filtering is relatively stable. The rationale is that our driver creates a device attached to the keyboard-driven kbdclass so that all IRP (input/output request package) packages are sent to our driver and then to the keyboard driver in the system. Our driver acquires the IRP and gets the Scancode scan code of the keyboard, whichCan obtain keyboard input information at the system kernel level. The part of the keyboard filter driver code is as follows: NTSTATUS Hookkeyboard (in Pdriver_object pdriverobject) {pdevice_object pkeyboarddeviceobject; NTSTATUS status = IoCreateDevice (Pdriverobject,sizeof (device_extension), NULL, File_device_keyboard, 0, True, & Pkeyboarddeviceobject);p keyboarddeviceobject->flags = Pkeyboarddeviceobject->flags | (Do_buffered_io | do_power_pagable);p keyboarddeviceobject->flags=pkeyboarddeviceobject->flags& ~DO_DEVICE_INITIALIZING; RtlZeroMemory (pkeyboarddeviceobject->deviceextension, sizeof (device_extension)); Pdevice_extension pkeyboarddeviceextension= (pdevice_extension) pkeyboarddeviceobject->deviceextension; CChar ntnamebuffer[64] = "\\DEVICE\\KEYBOARDCLASS0"; STRING ntnamestring; Unicode_stringukeyboarddevicename; Rtlinitansistring (&ntnamestring, Ntnamebuffer); Rtlansistringtounicodestring (&ukeyboarddevicename, &ntnamestring, TRUE); Ioattachdevice ( Pkeyboarddeviceobject,&ukeyboarddevicename,&pkeyboarddeviceextension->pkeyboarddevice); Rtlfreeunicodestring (&ukeyboarddevicename); return status_success} The following is an example of ICBC's online banking, demonstrating our program. To demonstrate, our driver will print out the information of the keyboard records obtained in real time and record the complete information to the disk file. China Merchants Bank, Alibaba Alipay and other effects equivalent, payment password with this method can also intercept. The information that is printed in real time while intercepting is shown in Figure 1:498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=268 alt= ' "src="/files/ Uploadimg/20070118/105630986.jpg "width=560 border=0> The complete information recorded in the file: Figure 2. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=157 alt= ' "src="/files/uploadimg/20070118/ 105818694.jpg "width=511 border=0> with email or asp/php message, we can get the password remotely. 2, the adoption of dynamic soft keyboard, typical representatives are: China Construction Bank, Chinese bank, Agricultural Bank, the use of dynamic soft keyboard technology at first look can really make the attacker could not intercept the password, but the method of intercepting the password is not only a way to intercept the keyboard record. We can get the password via IE's com. For China Construction Bank, the content of the password box obtained via IE's COM interface is the password, most of the other websites that use soft keyboard technology are the same. But the Agricultural Bank of China in the Web program to do a bit of processing, through the mouse click Soft Keyboard incoming box content is not the actual password but the button serial number, so we just enumerate the current window, found is the Agricultural Bank of China's online banking page, our program automatically screenshots to us, It is easy to transform the relationship between the truncated image and the serial pseudo cipher obtained via IE's COM interface (abstract into a simple function map). This will be the bank's online banking password. The following is the interception of CCB online Bank password Demo screenshot, the use of dynamic soft keyboard other sites have the same effect. Figure 3: (Derivation: Part of a soft keyboard that copes with an application can be intercepted using a similar screen-taking method of Hook textoutw/a.) ) 498) this.width=498 ' OnMouseWheel = ' Javascript:return big (This) ' height=339 alt= ' "src=/files/uploadimg/20070118/110106849.jpg" width=560 border=0> PostScript: Although online banking and other electronic payment platform in the password security considerations, but still not safe enough. However, we also can not use the Internet banking, the adoption of digital certificates and USB Key (such as U-shield) and other security measures are relatively safe. The responsible editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 give force (0 votes) to be tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: Web Landing security of online banking and other electronic payment platform analysis Back to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.