More Web Proxy on the site http://driver.im/

research-article

Breaking e-banking CAPTCHAs

Authors:

S. Amier Haider Shah,

M. Asad Usman Khan,

Syed Ali Khayam,

Ahmad-Reza Sadeghi,

Roland SchmitzAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 171 - 180

https://doi.org/10.1145/1920261.1920288

Published: 06 December 2010 Publication History

Abstract

Many financial institutions have deployed CAPTCHAs to protect their services (e.g., e-banking) from automated attacks. In addition to CAPTCHAs for login, CAPTCHAs are also used to prevent malicious manipulation of e-banking transactions by automated Man-in-the-Middle (MitM) attackers. Despite serious financial risks, security of e-banking CAPTCHAs is largely unexplored. In this paper, we report the first comprehensive study on e-banking CAPTCHAs deployed around the world. A new set of image processing and pattern recognition techniques is proposed to break all e-banking CAPTCHA schemes that we found over the Internet, including three e-banking CAPTCHA schemes for transaction verification and 41 schemes for login. These broken e-banking CAPTCHA schemes are used by thousands of financial institutions worldwide, which are serving hundreds of millions of e-banking customers. The success rate of our proposed attacks are either equal to or close to 100%. We also discuss possible improvements to these e-banking CAPTCHA schemes and show essential difficulties of designing e-banking CAPTCHAs that are both secure and usable.

References

[1]

American Bankers Association. Consumers prefer online banking. http://www.aba.com/Press+Room/092109ConsumerSurveyPBM.htm, 2009.

[2]

Bank Austria. mobileTAN information. http://www.bankaustria.at/de/19741.html, 2007.

[3]

Cronto Limited. Cronto's visual cryptogram. http://www.cronto.com/visual_cryptogram.htm, 2008.

[4]

Volksbank Rhein-Ruhr eG. Bankgeschäfte online abwickeln: Mit Sm@rtTAN optic bequem und sicher im Netz. http://www.voba-rhein-ruhr.de/privatkunden/ebank/SMTop.html, 2009.

[5]

T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zurich Trusted Information Channel -- an efficient defence against man-in-the-middle and malicious software attacks. In TRUST'2008, pages 75--91.

Digital Library

[6]

G. A. F. Seber. Multivariate Observations. John Wiley & Sons, Inc., 2004.

[7]

M. Bertalmio, G. Sapiro, V. Caselles, and C. Ballester. Image inpainting. In SIGGRAPH'2000, pages 417--424.

Digital Library

[8]

M. M. Oliveira, B. Bowen, R. McKenna, and Y.-S. Chang. Fast digital image inpainting. In IASTED VII'2001, pages 261--266.

[9]

F. Y. Shin. Image Processing and Mathematical Morphology. CRC, 2009.

[10]

S. J. Orfanidis. Optimum Signal Processing. 2 edition, 2007. http://www.ece.rutgers.edu/~orfanidi/osp2e.

[11]

Z. Wang and E. P. Simoncelli. Translation insensitive image similarity in complex wavelet domain. In ICASSP'2005, pages 573--576.

[12]

L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. CAPTCHA: Using hard AI problems for security. In EUROCRYPT'2003, pages 294--311.

Digital Library

[13]

J. Elson, J. R. Douceur, J. Howell, and J. Saul. Asirra: A CAPTCHA that exploits interest-aligned manual image categorization. In CCS'2007, pages 366--374.

Digital Library

[14]

A. Basso and F. Bergadano. Anti-bot strategies based on human interactive proofs. In Handbook of Information and Communication Security, chapter 15, pages 273--291. Springer, 2010.

[15]

G. Mori and J. Malik. Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In CVPR'2003, pages 134--141.

Digital Library

[16]

G. Moy, N. Jones, C. Harkless, and R. Potter. Distortion estimation techniques in solving visual CAPTCHAs. In CVPR'2004, pages 23--28.

Digital Library

[17]

K. Chellapilla and P. Y. Simard. Using machine learning to break visual Human Interaction Proofs (HIPs). In NIPS'2004, pages 265--272, 2005.

[18]

S. Hocevar. PWNtcha: Pretend we're not a Turing computer but a human antagonist. http://caca.zoy.org/wiki/PWNtcha, 2004.

[19]

K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski. Computers beat humans at single character recognition in reading based human interaction proofs (HIPs). In CEAS'2005.

[20]

J. Yan and A. S. El Ahmad. Breaking visual CAPTCHAs with naïve pattern recognition algorithms. In ACSAC'2007, pages 279--291.

[21]

J. Yan and A. S. El Ahmad. A low-cost attack on a Microsoft CAPTCHA. In CCS'2008, pages 543--554.

Digital Library

[22]

P. Golle. Machine learning attacks against the Asirra CAPTCHA. In CCS'2008, pages 535--542.

Digital Library

[23]

J. Tam, J. Simsa, S. Hyde, and L. von Ahn. Breaking audio CAPTCHAs. In NIPS'2008, pages 1625--1632, 2009.

[24]

E. Bursztein and S. Bethard. Decaptcha: Breaking 75% of eBay audio CAPTCHAs. In WOOT'2009.

Digital Library

[25]

C. J. Hernandez-Castro and A. Ribagorda. Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study. Computers & Security, 29(1):141--157, 2010.

Digital Library

[26]

A. Hindle, M. W. Godfrey, and R. C. Holt. Reverse engineering CAPTCHAs. In WCRE'2009, pages 59--68.

Digital Library

[27]

C. J. Hernandez-Castro and A. Ribagorda. Remotely telling humans and computers apart: An unsolved problem. In iNetSec'2009.

[28]

B. Pinkas and T. Sander. Securing passwords against dictionary attacks. In CCS'2002, pages 161--170.

Digital Library

[29]

C. J. Mitchell. Using human interactive proofs to secure human-machine interactions via untrusted intermediaries. In Security Protocols'2006, pages 164--170, 2009.

Digital Library

[30]

I. Fischer and T. Herfet. Visual CAPTCHAs for document authentication. In MMSP'2006, pages 471--474.

[31]

M. Szydlowski, C. Kruegel, and E. Kirda. Secure input for Web applications. In ACSAC'2007, pages 375--384.

[32]

D. J. Steeves and M. W. Snyder. Secure online transactions using a CAPTCHA image as a watermark. US Patent 2007/0005500.

[33]

W. Wieser. Captcha recognition via averaging. http://www.triplespark.net/misc/captcha, 2007.

[34]

R. C. Gonzalez and R. E. Woods. Digital Image Processing. Prentice Hall, 2008.

Digital Library

[35]

A. Criminisi, P. Pérez, and K. Toyama. Object removal by exemplar-based inpainting. In CVPR'2003, pages 721--728.

[36]

P. Getreuer. tvreg: Variational imaging methods for denoising, deconvolution, inpainting, and segmentation. http://www.math.ucla.edu/~getreuer/tvreg.html, 2009.

[37]

D. H. Ballard. Generalizing the Hough transform to detect arbitrary shapes. Pattern Recognition, 13(2):111--122, 1981.

[38]

J. Wilkins. Strong CAPTCHA guidelines: v1.2. http://bitland.net/captcha.pdf, December 2009.

[39]

J. Yan and A. S. El Ahmad. Usability of CAPTCHAs or usability issues in CAPTCHA design. In SOUPS'2008, pages 44--52.

Digital Library

[40]

M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage. Re: CAPTCHAs -- Understanding CAPTCHA-solving services in an economic context. In USENIX Security'2010.

Digital Library

[41]

BBC News. PC stripper helps spam to spread. http://news.bbc.co.uk/2/hi/technology/7067962.stm, 2007.

[42]

M. Jakobsson. CAPTCHA-free throttling. In AISec'2009, pages 15--21.

Digital Library

Cited By

Ji TLuo YLin YYang YZheng QLian SLi J(2024) ImageVeriBypasser : An image verification code recognition approach based on Convolutional Neural Network Expert Systems10.1111/exsy.13658Online publication date: 25-Jun-2024
https://doi.org/10.1111/exsy.13658
Moradi MMoradi MPalazzo SRundo FSpampinato C(2024)Image CAPTCHAs: When Deep Learning Breaks the MoldIEEE Access10.1109/ACCESS.2024.344297612(112211-112231)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3442976
Pandit SSarker KPerdisci RAhamad MYang DCalandrino JTroncoso C(2023)Combating robocalls with phone virtual assistant mediated interactionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620264(463-480)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620264
Show More Cited By

Index Terms

Breaking e-banking CAPTCHAs
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Exploring user adoption of mobile banking: an empirical study in China

With the development of mobile technology, the number of people using mobile devices has increased greatly in China. While many reports indicate that mobile banking service has been applied in China, little is known about how people perceived this ...
An evaluation of e-banking and m-banking adoption factors and preference in Malaysia: a case study

This study aims to investigate the factors influencing adoption of electronic banking (e banking) and mobile banking (m-banking) and to identify customer preferences in choosing either e-banking or m-banking when conducting transactions. The findings ...
Improving e-banking security with biometrics: modelling user attitudes and acceptance
NTMS'09: Proceedings of the 3rd international conference on New technologies, mobility and security

Despite the widespread success of online banking, there remains a reluctance to use it primarily because of uncertainty and security concerns. This study evaluates the potential of biometric authentication for online banking (bbanking) as a way of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
855
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)3

Reflects downloads up to 26 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ji TLuo YLin YYang YZheng QLian SLi J(2024) ImageVeriBypasser : An image verification code recognition approach based on Convolutional Neural Network Expert Systems10.1111/exsy.13658Online publication date: 25-Jun-2024
https://doi.org/10.1111/exsy.13658
Moradi MMoradi MPalazzo SRundo FSpampinato C(2024)Image CAPTCHAs: When Deep Learning Breaks the MoldIEEE Access10.1109/ACCESS.2024.344297612(112211-112231)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3442976
Pandit SSarker KPerdisci RAhamad MYang DCalandrino JTroncoso C(2023)Combating robocalls with phone virtual assistant mediated interactionProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620264(463-480)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620264
Yusuf MSrivastava DKushwaha R(2023)Exploring self-supervised learning in Multiview captcha recognition2023 IEEE 20th India Council International Conference (INDICON)10.1109/INDICON59947.2023.10440750(1106-1111)Online publication date: 14-Dec-2023
https://doi.org/10.1109/INDICON59947.2023.10440750
Eriksen HHoel LJetteberg CLeiknes ASandnes F(2022)Can't You Tell I am a Human? A Comparison of Common Text and Image CAPTCHAs Using a Low-Fidelity MethodologyProceedings of the 10th International Conference on Software Development and Technologies for Enhancing Accessibility and Fighting Info-exclusion10.1145/3563137.3563179(155-159)Online publication date: 31-Aug-2022
https://dl.acm.org/doi/10.1145/3563137.3563179
Hossen MHei X(2021)A Low-Cost Attack against the hCaptcha System2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00061(422-431)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00061
Zi YGao HCheng ZLiu Y(2020)An End-to-End Attack on Text CAPTCHAsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.292862215(753-766)Online publication date: 2020
https://doi.org/10.1109/TIFS.2019.2928622
UmaMaheswari PEzhilarasi SHarish PGowrishankar BSanjiv S(2020)Designing a Text-based CAPTCHA Breaker and Solver by using Deep Learning Techniques2020 IEEE International Conference on Advances and Developments in Electrical and Electronics Engineering (ICADEE)10.1109/ICADEE51157.2020.9368949(1-6)Online publication date: 10-Dec-2020
https://doi.org/10.1109/ICADEE51157.2020.9368949
Botacin MKalysch AGrégio A(2019)The Internet Banking [in]Security SpiralProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340103(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340103
Alsuhibany S(2019)A Proposed Approach For Handling The Tradeoff Between Security, Usability, and Cost2019 International Conference on Computer and Information Sciences (ICCIS)10.1109/ICCISci.2019.8716447(1-6)Online publication date: Apr-2019
https://doi.org/10.1109/ICCISci.2019.8716447
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents