Trails:

Cyberspace of Shujun LI >> eBankingCAPTCHAs

Shortcuts

Title Page

Breaking e-Banking CAPTCHAs

Shujun Li1, Syed Amier Haider Shah2, Muhammad Asad Usman Khan2, Syed Ali Khayam2, Ahmad-Reza Sadeghi3 and Roland Schmitz4

1 University of Konstanz, Germany
2 National University of Science and Technology (NUST), Pakistan
3 Ruhr-University of Bochum, Germany
4 Stuttgart Media University, Germany


© ACM (2010). This is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version has been published by ACM in Proceedings of 26th Annual Computer Security Applications Conference (ACSAC 2010, Austin, Texas, USA, December 6-10, 2010), pp. 171-180.

Abstract

Many financial institutions have deployed CAPTCHAs to protect their e-banking systems from automated attacks. In addition to traditional CAPTCHAs for login, CAPTCHAs are also used to prevent malicious manipulation of e-banking transactions by automated Man-in-the-Middle (MitM) attackers. Despite serious financial risks, security of e-banking CAPTCHAs is largely unexplored. In this paper, we report the first comprehensive study on e-banking CAPTCHAs deployed around the world. A new set of image processing and pattern recognition techniques is proposed to break all e-banking CAPTCHA schemes that we have found over the Internet, including three e-banking CAPTCHA schemes for transaction verification and 41 schemes for login. These broken e-banking CAPTCHA schemes are used by a large number of financial institutions worldwide, which are serving hundreds of millions of e-banking customers. The success rate of our proposed attacks are either equal to or close to 100%. We also discuss possible enhancements to these e-banking CAPTCHA schemes and show some essential difficulties of designing e-banking CAPTCHAs that are both secure and usable.

Links

e-Banking CAPTCHAs

CAPTCHAs have been widely deployed by many financial institutions around the world to protect their customers from automated online password attacks. Some financial institutions have also deployed CAPTCHAs for transaction verification, whose aim is to defeat automated Man-in-the-Middle (MitM) attack. As far as we know, there is no public report about deployment of different e-banking security measures in the world banking sector. To check how many financial institutions have deployed e-banking CAPTCHAs, we looked into the Web sites of many financial institutions around the world. The following is a summary of e-banking CAPTCHAs we found and analyzed in this research. Note: We choose not to reveal the names of all the affected banks to protect their e-banking systems and their customers.

Basic Tools Used for Our Attacks

The tools we used for developing our attacks are well-established image processing and pattern recognition techniques, mainly including the following: Two training-free pattern recognition methods were used for character recognition: The following figure shows how these tools are used for breaking e-banking CAPTCHAs.

Our Results

All of our attacks were mainly implemented in MATLAB, a compiled programming language and an interactive programming environment. Part of the program was written in Java and C to overcome some functional limitations of MATLAB, which is then incorporated into our main code via MATLAB's external interfaces for Java and C.

Breaking a German e-banking CAPTCHA Scheme

We developed two practical attacks on an e-banking CAPTCHA scheme used by around 800 German banks. The success rates of both attacks are 100% for 100 test images we collected from real bank accounts.

Note: This e-banking CAPTCHA scheme has a specific name. To avoid exposing the name of the affected banks, we use "GeCaptcha" (German e-banking CAPTCHA) as the pseudonym of this scheme.

How does GeCaptcha work?

Before the user can make any online transactions, he/she will get a paper list of n TANs from the bank. The following shows how a GeCaptcha image looks like. The eight big digits in the background compose the user's birthday "14.10.1978". English translations of the three text lines are as follows:

Inpainting based atatck

The first attack is based on image inpainting, which remove the real transaction data and repalce them with fake ones. This attack can run in real time. The average running time is around 250ms. A forged image with this attack is shown as follows.



Recognition based atatck

The second attack is based on character recognition, which recognize the user's birthday first offline and then forge fake GeCaptcha images based on other known information (in an online mode). CW-SSIM is used to build the recognizer. The online attack part can run in real time, and the average running time is around 190ms. The offline attack part is relatively slow (around 5 seconds).

The segmented birthday from the above GeCaptcha image is shown in the following. It can be correctly recognized as "14.10.1978".



A forged image with this attack is shown as follows.

Breaking a Chinese e-banking CAPTCHA for transaction verification

A major Chinese bank has deployed a CAPTCHA scheme for transaction verification. This scheme is similar to but simpler than GeCaptcha.

We developed one practical attack on this Chinese e-banking CAPTCHA scheme. We tested the attack on 100 test images we collected from a real bank account, and achieved a success rate of 100%. The attack can run in real time and the average running time is less than 150ms.

How does this CAPTCHA work?

One CAPTCHA image collected from a real bank account is shown as follows. Here, the TAN is 1670. English translations of the three texts lines are as follows:

Recognition attack

Since the TAN is part of the receiver's account, the image inpainting based attack on iTANplus does not work here. But the recognition based attack still works. Instead of CW-SSIM, 2-D correlation is used to build the recognizer.

The following is the TAN digits segmented from the above CAPTCHA image, which can be easily recognized as "1670" by a coorelation-based method.

Breaking another Chinese e-banking CAPTCHA for transaction verification

Another major Chinese bank has also deployed a CAPTCHA scheme for transaction verification. This scheme is also similar to and simpler than iTANplus.

The two attacks on GeCaptcha can both be generalized to break this Chinese CAPTCHA scheme. The generalized attacks can both achieve a success rate of 100% on 103 test images collected from real bank accounts.

How does this CAPTCHA work?

A CAPTCHA image collected from a real bank account is shown as follows. Here, the TAN is 37623. English translations of the four text lines are as follows:

Inpainting based attack

This attack can run in real time and the average running time is around 200ms. The following is a forged image with this attack.



Recognition based attack

This attack is relatively slow, and the average running time is around 6-7 seconds. Note that this attack does not need to be in real time, because the CAPTCHA challenges are supposed to be solved by (slow) human users. The following is the segmented TAN from the above CAPTCHA image, which can be correctly recognized as "37623".

Breaking login CAPTCHAs

We have also developed segmentation attacks on all e-banking login CAPTCHA schemes we found. For each scheme, we tested each segmentation attack on at least 60 test images to confirm their robustness. The following is a table of all e-banking login CAPTCHA schemes we have analyzed.






Financial institution(s)/e-banking login CAPTCHA schemeCAPTCHA image(s)Segmentation result(s)Tool(s) used, Weakness(es) exploitedSuccess rate





13 German banks PIC PIC 3-means clustering, morphological operations 6060 = 100%





Hundreds other German banks PIC PIC 2-means clustering, line detection, image inpainting 6060 = 100%





A Swiss bank with branches in Europe, Asia, North America and Africa (a Pakistani bank is also using the same system) PIC PIC 2-means clustering 6060 = 100%





A bank based in Latin America with branches in Europe, Asia, Australasia and Africa PIC PIC PIC PIC PIC PIC PIC PIC 2-means clustering 6363 = 100%





Old CAPTCHA scheme of the above bank PIC PIC 2-means clustering 6060 = 100%





US e-banking CAPTCHA 1* PIC PIC 2/3-means clustering, line detection, image inpainting 209209 = 100%





US e-banking CAPTCHA 2* PIC PIC 4-means clustering, morphological operations 7171 = 100%





US e-banking CAPTCHA 3* PIC PIC morphological operations, static color of foreground 6060 = 100%





US e-banking CAPTCHA 4* PIC PIC 3-means clustering 115115 = 100%





US e-banking CAPTCHA 5* PIC PIC 3-means clustering 9292 = 100%





US e-banking CAPTCHA 6* PIC PIC 2-means clustering 6161 = 100%





US e-banking CAPTCHA 7* PIC PIC 2/3-means clustering 6060 = 100%





A CU in Australia PIC PIC 3-means clustering, morphological operations 6060 = 100%





Another Two CUs in Australia PIC PIC 3-means clustering, morphological operations 6061 98.4%





Yet another CU in Australia PIC PIC 3-means clustering, morphological operations 6060 = 100%





Chinese e-banking CAPTCHA 1 PIC PIC 3-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 2 PIC PIC 2-means clustering, image inpainting, static color of noises 6060 = 100%





Chinese e-banking CAPTCHA 3 PIC PIC 4-means clustering, morphological opening 6262 = 100%





Chinese e-banking CAPTCHA 4 PIC PIC morphological cleaning, character intensity < 120 6161 = 100%





Chinese e-banking CAPTCHA 5 PIC PIC 3-means clustering, morphological cleaning 5960 98.3%





Chinese e-banking CAPTCHA 6 PIC PIC static colors of foreground, background and noises 6161 = 100%





Chinese e-banking CAPTCHA 7 PIC PIC grayscale foreground vs. colored noises 6060 = 100%





Chinese e-banking CAPTCHA 8 PIC PIC 2-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 9 PIC PIC 2-means clustering, morphological opening 6161 = 100%





Chinese e-banking CAPTCHA 10 PIC PIC 2-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 11 PIC PIC 2-means clustering 6464 = 100%





Chinese e-banking CAPTCHA 12 PIC PIC segmentation labels available as color indices 6464 = 100%





Chinese e-banking CAPTCHA 13 PIC PIC 3-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 14 PIC PIC morphological operation, foreground intensity always darker than 128 6060 = 100%





Chinese e-banking CAPTCHA 15 PIC PIC 2-means clustering 110110 = 100%





Chinese e-banking CAPTCHA 16 PIC PIC 2/3-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 17 PIC PIC 2-means clustering 6262 = 100%





Chinese e-banking CAPTCHA 18 PIC PIC 2-means clustering, morphological operations 5861 95.1%





Chinese e-banking CAPTCHA 19 (deployed by two banks) PIC PIC 3-means clustering, morphological filling 6363 = 100%





Chinese e-banking CAPTCHA 20 PIC PIC 2-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 21 (deployed by four banks) PIC PIC 3-means clustering 6161 = 100%





Chinese e-banking CAPTCHA 22 PIC PIC 2-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 23 PIC PIC 2-means clustering 6060 = 100%





Chinese e-banking CAPTCHA 24 PIC PIC static character color (white) 6060 = 100%





Chinese e-banking CAPTCHA 25 PIC PIC static character color (black) 6060 = 100%





Chinese e-banking CAPTCHA 26 PIC PIC clearly separable background and foreground 6060 = 100%





* All these CAPTCHA schemes are developed by an e-banking service provider in US, which serves several thousand American financial institutions.

Call for More e-Banking CAPTCHAs

Our collection of e-banking CAPTCHAs may be very limited. Especially, our collection only covers very few financial institutions that do not have English, German or Chinese Web sites.

If you know any e-banking CAPTCHA scheme which is not included in this work, you are welcome to contact us so that we can analyze its security.

Only one revision exists, which was created (or modified) by hooklee at Sunday, June 19, 2016 11:06:01 PM.
This page was locked and can only be edited by administrators.

HomeIndexRecent ChangesPreference

Google

Google PageRank Checker
Valid XHTML 1.0 Transitional
Locations of visitors to this page
ip-location map zoom
Germany

China

GMT (London)