Full Program »
Breaking e-Banking CAPTCHAs
Final Paper 793KB |
Shujun Li
University of Konstanz
Germany
Syed Amier Haider Shah
National University of Science and Technology (NUST)
Pakistan
Muhammad Asad Usman Khan
National University of Science and Technology (NUST)
Pakistan
Syed Ali Khayam
National University of Science and Technology (NUST)
Pakistan
Ahmad-Reza Sadeghi
Ruhr-University of Bochum
Germany
Roland Schmitz, Stuttgart Media University, Germany, schmitz@hdm-stuttgart.de
Abstract:
Many financial institutions have deployed CAPTCHAs to protect their e-banking systems from automated attacks. In addition to traditional CAPTCHAs for login, CAPTCHAs are also used to prevent malicious manipulation of e-banking transactions by automated Man-in-the-Middle (MitM) attackers. Despite serious financial risks, security of e-banking CAPTCHAs is largely unexplored. In this paper, we report the first comprehensive study on e-banking CAPTCHAs deployed around the world. A new set of image processing and pattern recognition techniques is proposed to break all e-banking CAPTCHA schemes that we have found over the Internet, including three e-banking CAPTCHA schemes for transaction verification and 41 schemes for login. These broken e-banking CAPTCHA schemes are used by a large number of financial institutions worldwide, which are serving hundreds of millions of e-banking customers. The success rate of our proposed attacks are either equal to or close to 100%. We also discuss possible enhancements to these e-banking CAPTCHA schemes and show some essential difficulties of designing e-banking CAPTCHAs that are both secure and usable.