Annual Computer Security Applications Conference 2010

Full Program »

Breaking e-Banking CAPTCHAs

Final Paper
View File

Shujun Li
University of Konstanz

Syed Amier Haider Shah
National University of Science and Technology (NUST)

Muhammad Asad Usman Khan
National University of Science and Technology (NUST)

Syed Ali Khayam
National University of Science and Technology (NUST)

Ahmad-Reza Sadeghi
Ruhr-University of Bochum

Roland Schmitz, Stuttgart Media University, Germany,

Many financial institutions have deployed CAPTCHAs to protect their e-banking systems from automated attacks. In addition to traditional CAPTCHAs for login, CAPTCHAs are also used to prevent malicious manipulation of e-banking transactions by automated Man-in-the-Middle (MitM) attackers. Despite serious financial risks, security of e-banking CAPTCHAs is largely unexplored. In this paper, we report the first comprehensive study on e-banking CAPTCHAs deployed around the world. A new set of image processing and pattern recognition techniques is proposed to break all e-banking CAPTCHA schemes that we have found over the Internet, including three e-banking CAPTCHA schemes for transaction verification and 41 schemes for login. These broken e-banking CAPTCHA schemes are used by a large number of financial institutions worldwide, which are serving hundreds of millions of e-banking customers. The success rate of our proposed attacks are either equal to or close to 100%. We also discuss possible enhancements to these e-banking CAPTCHA schemes and show some essential difficulties of designing e-banking CAPTCHAs that are both secure and usable.


Powered by OpenConf®
Copyright ©2002-2010 Zakon Group LLC