breaking e banking captchas
play

Breaking e-Banking CAPTCHAs Shujun Li 1 , Syed Amier Haider Shah 2 , - PowerPoint PPT Presentation

May 27, 2023 •533 likes •941 views

ACSAC 26 Breaking e-Banking CAPTCHAs Shujun Li 1 , Syed Amier Haider Shah 2 , Muhammad Asad Usman Khan 2 , Syed Ali Khayam 2 , Ahmad-Reza Sadeghi 3 , Roland Schmitz 4 1 Zukunftskolleg, University of Konstanz, Germany 2 National University of

  1. ACSAC 26 Breaking e-Banking CAPTCHAs Shujun Li 1 , Syed Amier Haider Shah 2 , Muhammad Asad Usman Khan 2 , Syed Ali Khayam 2 , Ahmad-Reza Sadeghi 3 , Roland Schmitz 4 1 Zukunftskolleg, University of Konstanz, Germany 2 National University of Science and Technology, Pakistan 3 Ruhr-University of Bochum, Germany 4 Stuttgart Media University, Germany

  2. Outlines ACSAC 26 - Our motivation - e-banking security is important - CAPTCHAs are widely used in e-banking systems - Our subjects of study - 44 e-banking CAPTCHA schemes - O (10 3 ) financial institutions + O (10 8 ) customers - Our findings - All e-banking CAPTCHAs were broken with a carefully selected set of CAPTCHA-breaking tools. - CAPTCHA does NOT seem to be a sufficient e-banking security solution. 2 / 21

  3. Traditional CAPTCHAs: Preventing automated login/logon ACSAC 26 - CAPTCHAs against web bots - C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part I am a human! Then solve this! 3 / 21

  4. e-banking CAPTCHAs everywhere? ACSAC 26 - Login CAPTCHAs: 41 schemes - Most banks in China O (100) million customers - O (100) banks in Germany Branches - O (1000) financial institutions in USA - Four credit unions in Australia - One major bank in Switzerland - One bank in Pakistan - One bank in Central America 4 / 21

  5. e-banking CAPTCHAs everywhere? ACSAC 26 - Login CAPTCHAs: 41 schemes - Most banks in China O (100) million customers - O (100) banks in Germany Branches - O (1000) financial institutions in USA - Four credit unions in Australia - One major bank in Switzerland - One bank in Pakistan - One bank in Central America - Transaction CAPTCHAs: 3 schemes - 2 schemes @ two major banks in China > 110 million - 1 scheme @ O (100) banks in Germany customers 5 / 21

  6. What are transaction CAPTCHAs? ACSAC 26 - GeCaptcha as a typical example - GeCaptcha is the transaction e-banking CAPTCHA scheme currently used by O (100) German banks. I want to transfer money! Then solve this! 6 / 21

  7. What are transaction CAPTCHAs? ACSAC 26 - An anatomy of GeCaptcha = + + 7 / 21

  8. How does a real attack work? ACSAC 26 - Scene 1: I try to transfer 10 EUR to Bob. Receiver’s name Bank code Receiver’s account number Amount in EUR 8 / 21

  9. How does a real attack work? ACSAC 26 - Scene 2: Eve’s Trojan manipulates transaction data. Attacker, Eve 33333333 60050101 1000 9 / 21

  10. How does a real attack work? ACSAC 26 - Scene 3: Sever sends a GeCaptcha image back. 10 / 21

  11. How does a real attack work? ACSAC 26 - Scene 4: Eve’s Trojan forges a GeCaptcha image. 11 / 21

  12. How does a real attack work? ACSAC 26 - Scene 5: I find the TAN No. 81 in my indexed TAN list and send it (424005) to Eve’s Trojan. - Scene 6: Eve’s Trojan sends 424005 to the server. - Scene 7: The server validates the received TAN and accepts the manipulated transaction request. - Scene 8: (Some days/weeks later) I realized that my money had been stolen. 12 / 21

  13. How to forge a GeCaptcha image? A CAPTCHA-breaking network ACSAC 26 - Image processing + Pattern recognition Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 13 / 21

  14. How to forge a GeCaptcha image? Automated Attack 1 ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 14 / 21

  15. How to forge a GeCaptcha image? Automated Attack 1 ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 15 / 21

  16. How to forge a GeCaptcha image? Automated Attack 1 ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image Line k -means Layer Synthesis Detection Segmentation Image Character Character Inpainting Segmentation Recognition 16 / 21

  17. How to forge a GeCaptcha image? Automated Attack 1 ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition Successful rate = 100/100=100% 17 / 21

  18. How to forge a GeCaptcha image? Automated Attack 2 ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 14101978 Successful rate = 100/100=100% 18 / 21

  19. Breaking GeCaptcha: Efficiency of the attacks ACSAC 26 - Automated Attack 1 - Average running time ≈ 250 ms - Automated Attack 2 - Stage 1 (offline): Average running time ≈ 5 seconds - Stage 2 (online): Average running time ≈ 190 ms - Platform - Software: MATLAB 2008b / 2010a / 2010b - Hardware: Levono ThinkPad T61 laptop with an Intel Core2 Duo 2.4 GHz CPU and with 2 GB memory 19 / 21

  20. Go beyond GeCaptcha: All e-banking CAPTCHAs broken! ACSAC 26 - 3 transaction e-banking CAPTCHA schemes - GeCaptcha: 100/100=100% - ChCaptcha1: 100/100=100% - ChCaptcha2: 103/103=100% - 41 login e-banking CAPTCHA schemes - 38 schemes: n / n =100% - 3 schemes: m / n >95% - Here, n≥ 60 20 / 21

  21. e-banking CAPTCHAs: Love them or leave them? ACSAC 26 - e-banking CAPTCHAs cannot be easily enhanced. - Strong CAPTCHAs are hard to define and design. - A more critical security-usability tradeoff - Banks are passive and always want to save costs. - Our recommendations - Stopping depending on e-banking CAPTCHAs! - Moving to trusted hardware! 21 / 21

  22. ACSAC 26 Thanks for your attention! Now it’s time for questions  Find more at http://www.hooklee.com/default.asp?t=eBankingCAPTCHAs

  23. e-banking: Bank customer’s first choice now! ACSAC 26 - survey (2009) Internet Banking 23 / 21

  24. Is e-banking indeed secure? ACSAC 26 - We are living in an insecure cyberworld  - A CS student of Uni-Konstanz said: - “I don’t use e - banking. I am lazy and afraid of …” 24 / 21

  25. e-banking security measures ACSAC 26 - A list of e-banking security measures against different threats (phishing, MiTM, malware, etc.): - login CAPTCHAs - indexed TAN - transaction CAPTCHAs - mobile TAN - hardware TAN generators - photoTAN - HBCI/FinTS - … 25 / 21

  26. e-banking security and usability: other measures deployed by banks ACSAC 26 - indexed TAN - Not secure against MitM attack - mobile TAN - Not secure against mobile malware - Out-of-band channel does not exit for mobile banking - Additional costs (SMS) - Untrusted telecommunication service provider - photoTAN - Not secure against mobile malware - hardware TAN generators and smart card readers - Not very portable (usable), not cheap (no free lunch, > 10 € ) - But it seems to be the only way to go for the long run. 26 / 21

  27. What did we use for breaking e- banking CAPTCHAs? ACSAC 26 - Two new tools - Digital image inpainting - Image quality assessment (IQA) for character recognition: CW-SSIM = Complex Wavelet Structural Similarity Metric 27 / 21

  28. How to forge a GeCaptcha image? Automated Attack 1 ACSAC 26 - Step 0: Segment the GeCaptcha image - Step 1: Locate the text line with transaction data - Step 2: Remove the genuine transaction data - Step 3: Add user-expected transaction data 28 / 21

  29. How to forge a GeCaptcha image? Automated Attack 2 ACSAC 26 - Stage 1 (offline): Recognize the user’s birthday - Stage 2 (online): Forge GeCaptcha images 14 10 1978  29 / 21

  30. How to forge a GeCaptcha image? Automated Attack 2 (Stage 1) ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 30 / 21

  31. How to forge a GeCaptcha image? Automated Attack 2 (Stage 1) ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 31 / 21

  32. How to forge a GeCaptcha image? Automated Attack 2 (Stage 1) ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 32 / 21

  33. How to forge a GeCaptcha image? Automated Attack 2 (Stage 1) ACSAC 26 Forged CAPTCHA image Morphological Image Operations Inpainting Genuine CAPTCHA images CAPTCHA Image k -means Layer Line Detection Synthesis Segmentation Image Character Character Inpainting Segmentation Recognition 33 / 21

Recommend

Breaking CAPTCHAs on the Dark Web Using neural networks to enable scraping RP #62, Kevin Csuka

Breaking CAPTCHAs on the Dark Web Using neural networks to enable scraping RP #62, Kevin Csuka

Breaking CAPTCHAs on the Dark Web Using neural networks to enable scraping RP #62, Kevin Csuka & Dirk Gaastra Supervisor: Yonne de Bruijn, Fox-IT 6 February, 2018 University of Amsterdam Introduction Scraping the Dark Web Useful for

972 views • 56 slides
The art of breaking and designing captchas Elie Bursztein Session ID: HT02-402 Insert

The art of breaking and designing captchas Elie Bursztein Session ID: HT02-402 Insert

The art of breaking and designing captchas Elie Bursztein Session ID: HT02-402 Insert presenter logo here Session Classification: xxxxxxxxxxxx on slide master. See hidden slide 4 for direc6ons Insert presenter logo here on slide master.

2.36k views • 192 slides
EPL682 - PAPERS ---------- Re: CAPTCHAs Understanding CAPTCHA-Solving Services in an Economic

EPL682 - PAPERS ---------- Re: CAPTCHAs Understanding CAPTCHA-Solving Services in an Economic

EPL682 - PAPERS ---------- Re: CAPTCHAs Understanding CAPTCHA-Solving Services in an Economic Context I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs Antreas Dionysiou - Department of Computer Science University of Cyprus

867 views • 39 slides
Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer

Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer

Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication Alexandra Dmitrienko Fraunhofer Institute for Secure Information Technology/CASED, Germany Joint work with Lucas Davi Ahmad-Reza Sadeghi Christopher

482 views • 33 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Animated Captchas And Games For Advertising Suhas Aggarwal IIT Guwahati May 2013 1 Content

Animated Captchas And Games For Advertising Suhas Aggarwal IIT Guwahati May 2013 1 Content

Animated Captchas And Games For Advertising Suhas Aggarwal IIT Guwahati May 2013 1 Content How Captchas and Games can help in Advertising Animation Captcha Systems and their Special Benefit in Advertising Visual Effects Captcha,

820 views • 26 slides
Something about audio CAPTCHAs Elie Bursztein, Romain Bauxis, Daniele Perito, Hristo Paskov,

Something about audio CAPTCHAs Elie Bursztein, Romain Bauxis, Daniele Perito, Hristo Paskov,

Something about audio CAPTCHAs Elie Bursztein, Romain Bauxis, Daniele Perito, Hristo Paskov, Celine Fabry, John Mitchell 1 Elie Bursztein (@elie) http://ly.tl/p18 The Failure of Noise-Based Non-Continuous Audio Captchas Elie Bursztein

729 views • 45 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
How Good are Humans at Solving d r CAPTCHAs? A Large Scale Evaluation o f n a Elie

How Good are Humans at Solving d r CAPTCHAs? A Large Scale Evaluation o f n a Elie

b a L y t i r u c e S r e t u p m o C How Good are Humans at Solving d r CAPTCHAs? A Large Scale Evaluation o f n a Elie Bursztein, Steven Bethard, Celine Fabry, John t S Mitchell, Dan Jurafsky, http://ly.tl/p11 E.

1.2k views • 105 slides
Breaking and Entering as a Legal November 4, 2011 Obligation: Amendments to Chicago Practice

Breaking and Entering as a Legal November 4, 2011 Obligation: Amendments to Chicago Practice

Breaking and Entering as a Legal November 4, 2011 Obligation: Amendments to Chicago Practice Group(s): Mortgage Banking & Ordinance Continue Trend of Forcing Consumer Financial Products Lenders to Maintain Vacant Property Even Before

338 views • 7 slides
UNDERSTANDING CAPTCHA The Need for CAPTCHAs To Prevent Abuse of Online Systems William Sembiante

UNDERSTANDING CAPTCHA The Need for CAPTCHAs To Prevent Abuse of Online Systems William Sembiante

UNDERSTANDING CAPTCHA The Need for CAPTCHAs To Prevent Abuse of Online Systems William Sembiante University of New Haven What is CAPTCHA? Term coined in 2000 at Carnegie Mellon by Luis von Ahn, Manuel Blum, Nicholas Harper, and John

576 views • 29 slides
THE BANKING SERVICES ACT Banking Services (Deposit Taking Institutions) (Agent Banking)

THE BANKING SERVICES ACT Banking Services (Deposit Taking Institutions) (Agent Banking)

THE BANKING SERVICES ACT Banking Services (Deposit Taking Institutions) (Agent Banking) Regulations 2016 Presentation to Parliament by The Honourable Audley Shaw CD, MP. Minister of Finance and the Public Service

435 views • 6 slides
PROCESS AND PROCEDURES AMIR ALFATAKH YUSOF ISLAMIC BANKING FROM CONVENTIONAL TO ISLAMIC BANKING

PROCESS AND PROCEDURES AMIR ALFATAKH YUSOF ISLAMIC BANKING FROM CONVENTIONAL TO ISLAMIC BANKING

PROCESS AND PROCEDURES AMIR ALFATAKH YUSOF ISLAMIC BANKING FROM CONVENTIONAL TO ISLAMIC BANKING SPEAKER PROFILE 1. Started in Conventional Banking Sales for OCBC Bank Retail, Business Banking and Corporate Banking, Kuala Lumpur Main Branch

830 views • 26 slides
CAPTCHAs: The Good, the Bad, and the Ugly ISSE-GI SICHERHEIT 2010 Paul Baecher*, Marc Fischlin*,

CAPTCHAs: The Good, the Bad, and the Ugly ISSE-GI SICHERHEIT 2010 Paul Baecher*, Marc Fischlin*,

CAPTCHAs: The Good, the Bad, and the Ugly ISSE-GI SICHERHEIT 2010 Paul Baecher*, Marc Fischlin*, Lior Gordon, Robert Langenberg, Michael Ltzow, Dominique Schrder* * TU Darmstadt, supported by DFG Emmy Noether Program October 7, 2010 | 1

573 views • 21 slides
Offering banking services in a mobile world Denise Buckton Head of Mobile and Phone Banking

Offering banking services in a mobile world Denise Buckton Head of Mobile and Phone Banking

Offering banking services in a mobile world Denise Buckton Head of Mobile and Phone Banking Evolution of ANZ & NBNZ Mobile Banking Txt Banking NBNZ iBank M-Banking ANZ goMoney NBNZ Mobile Banking and M-Banking for iPhone browser for

429 views • 8 slides
A Simple Generic Attack on Text Captchas Haichang Gao (Xidian University), Jeff Yan (Lancaster

A Simple Generic Attack on Text Captchas Haichang Gao (Xidian University), Jeff Yan (Lancaster

A Simple Generic Attack on Text Captchas Haichang Gao (Xidian University), Jeff Yan (Lancaster University), Fang Cao, Zhengya Zhang, Lei Lei, Mengyun Tang, Ping Zhang, Xin Zhou, Xuqin Wang and Jiawei Li (Xidian University) Introduction CAPTCHA :

613 views • 26 slides
Text-based captchas strengths and weakness Elie Bursztein, Matthieu Martin, John Mitchell

Text-based captchas strengths and weakness Elie Bursztein, Matthieu Martin, John Mitchell

Text-based captchas strengths and weakness Elie Bursztein, Matthieu Martin, John Mitchell Stanford University 1 About this Research Presenter: Elie Bursztein (http://elie.im) Conference: ACM CCS 2011 Slides and paper freely

1.56k views • 110 slides
Banking Transformation in ASEAN and Mobile Banking in Indonesia 16 Feb 2012 Indonesia

Banking Transformation in ASEAN and Mobile Banking in Indonesia 16 Feb 2012 Indonesia

Banking Transformation in ASEAN and Mobile Banking in Indonesia 16 Feb 2012 Indonesia International Banking Convention (IIBC) Devabalan Theyventheran Head of Transformation Office and Business Process Development CIMB Group Agenda 1

439 views • 24 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
The Italian Banking System in the Perspective of the Banking Union Fabio Panetta Member of the

The Italian Banking System in the Perspective of the Banking Union Fabio Panetta Member of the

The Italian Banking System in the Perspective of the Banking Union Fabio Panetta Member of the Governing Board - Banca dItalia London, November 21, 2013 Outline of the Presentation 1. The Banking Union (BU) project o the Single Supervisory

321 views • 21 slides
Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier with a Prenup) Easier with a Prenup) Gregory S. Gregory S. William Williams, , Esq. Esq. Carr rruthe uthers & rs & Roth, P.A.

170 views • 6 slides
The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking The Law Lyrics There I was completely wasting, out of work and down All inside it's so frustrating as I drift from town to town Feel as though

269 views • 10 slides
About Deutsche Bank Strategy 2020: Digitalize DB -Targeting up to EUR 1bn of incremental

About Deutsche Bank Strategy 2020: Digitalize DB -Targeting up to EUR 1bn of incremental

eID: the business case for the banking and finance community 5th June 2015 Overview No. Topic 2 2 Context Context 3 eID Key concepts 4 Identity in Banking 5 Drivers for eID adoption Applicability in the banking world 6 Key

88 views • 8 slides

More recommend