Visual security is feeble for Anti-Phishing Chun-Ming Leung Department of Information Engineering The Chinese University of Hong Kong Shatin, N. T., Hong Kong [email protected]

Abstract—Addressing recent online banking threats, the banking industry offers us several solutions for our safety online banking experience, however those solutions may not finally secure the users under the rising threats. The main challenges are how to enable safe online banking on a compromised host, and solving the general ignorance of security warning. CAPTCHA is primarily used to anti bot automated login, also, CAPTCHA base application can further provides secure PIN input against keylogger and mouse-logger for Bank’s customer[1]. Assuming users are always unconscious of security warning in our model, we have designed a series of attacks and defenses under this interesting condition. In this work, we will start by formalizing a security defense utilizing CAPCTCHA, its limitations are analyzed; Then, we will attack a local bank employing CAPTCHA solution, which we show how its can be bypassed from its vulnerability in its implementation. We further introduce - Control-Relaying Man-In-The-Middle(CR-MITM) attack, a remote attack just like a Remote Terminal Service that can capture and relay user inputs without local Trojan assistant, which is possible to defeat CAPTCHA phishing protection in the future. Under our model, we conclude, visual security defense alone is feeble for anti-phishing.

Keywords- Phishing; Man-In-The-Middle (MITM); CAPTCHA; Authentication; Implementation Flaw; Online Banking I. I NTRODUCTION Since the first phishing term was record at 1996 which was hunting for free AOL account, phishing is having a increasing tendency over the years. It then evolutes to financial fraud quickly, as the criminals are always aim for high yield. Luckily, with the pursuit of online banking, the banking industry is always motivated to play a leading role in fighting phishing threat. However, the reported loss to Internet Crime such as phishing has broken its record each year, which was up to US$239 Million lost in 2007. It is telling us that we are still looking for a better solution. To confirm a destination it claim to be, the most trustworthy technique is the use of Digital Certificate, which the certification binding its public key together with an identity. The banking industry started to implement Digital Certificates in 2002, however, this trustful solution is always ignored by user [2]. An incident of HSBC on 4th March 2008, that one of the world biggest bank has forgotten to renew its Digital Certificate [3], but it claimed its online banking for their customers still not affected. As we can imagine how many users ignored the warning of invalid Digital Certificate and had their online banking as usual in that day. Notice that the Digital Certificates solution is a one-way authentication of the bank, customers are rarely have their own Digital Certificates. Obviously, the identity of customer is still threatened by identity theft (e.g. Keylogger on infected machine) as since the old age. In 2005, One-Time-Password(OTP) based Two-factor authentication solution - Secure Token was delivered to bank customer [4] to fight against keylogger and phishing. As the worldwide encouragement of Two-factor authentication in the same year[5],

the phishing technique is also evolving, Secure Token was found vulnerable to Real-Time Man-In-The-Middle(RT-MITM) Attack[6] in 2005. For the fall of Secure Token by RT-MITM, we will describe it in the later section. Beside of authenticate the user, there is also needed to authenticate the bank. Bank of America(BoA) tried to take a leading role in fighting phishing, In 2005, BoA firstly role out SiteKey [7] to address the issue, which was originally invented by RSA lab. However, the SiteKey was doubted it can achieves its target [8], since it obviously risks suffer from MITM attack. Recently, the idea of Human Interactive Proof(HIP) is used to fight against phishing [9]. There is an CAPTCHA application used in online Banking[1], however, the application may not achieves its initial goal when facing the rising threat of phishing techniques such as RT-MITM. In this paper, start by attacking the careless CAPTCHA implementation of BEA online banking, we argue CAPTCHA alone is not a panacea in dealing with the phishing threat. In the coming section, we will have a detail analysis on these issues. A. CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart The base of CAPTCHA is to use hard AI problem to distinguish Human and bot apart [10] which was originally evolved from Visual authentication and identification. The primary use of CAPTCHA is to fight against auto-bot in Account Registration and Click Fraud. Since the mature cryptographic techniques are ineffectual when facing user ignorance[2], there are a tend of applying CAPTCHA ideas in Phishing defense [11], [1], detail see related work. In fact, visual human verifiable techniques(e.g. SiteKey[7]) are vulnerable to MITM attack[8]. Also, careless CAPTCHA implementation[1] can leads the application fail to achieve its mission. In the rest of sections, we will demonstrate how to break an application[1] by exploiting its implementation flaw. B. Man-In-The-Middle Attack In history, the earliest Man-In-The-Middle(MITM) Attack is a cryptographic term, where MITM has the following abilities: 1) Eavesdrops and Intercepts all messages going between the victims; 2) Relays messages between them. In short, MITM attack make the victims believe that they are directly talking to each other in a direct connection without indicate the existence of middle man. One famous MITM attack on cryptographic Public Key Infrastructure(PKI) algorithm is the attack on initial version of DiffieHellman algorithm[12] in 1976, which the secure parameters g x g y exchanged have no actual authentication mean, such that risk suffer

from MITM attack. The attack scenario was also well described on the publication of it advanced Authenticated Key Exchange(AKE) version[13]. Which in the AKE version of DH algorithm, Diffie etal. combine the use of Digital Signature and random number to authenticate each parties. This lesson telling the fact that a secure protocol without actual authentication will risks suffer from MITM attack. MITM can be at user interface layer visually, Schneier [6] described a RT-MITM attack at user interface layer in 2005, which can defeat 2 factor secure token: An attacker setup a fake bank website, and entices a user to that website just like Phishing. When user types his ID, password, including the 2nd factor (e.g. security token), then the attacker uses it to access the legitimate bank’s website simultaneously. The scenario is also true for attacking SMS challenge code, as victim can type the code on phishing site, it can be relayed. The protection of the 2nd factor becomes nothing to this kind of online active attacker. The attack is classified as an Online Doppelganger Attack[14] to further distinguish this type of relaying attack between the traditional cryptographic MITM attack. In this paper, we will analyze the abilities of current anti-phishing solutions against the most recent internet security threats. C. Our contribution In this paper, we make the following contributions: 1) Current CAPTCHA solutions used against phishing are analyzed; 2) Demonstrate an attack on a careless CAPTCHA implementation of a Local Online Banking, which the CAPTCHA challenege can be bypassed; 3) Future attack - Control-Relaying Man-In-The-Middle(CRMITM) attack, a remote attack that can capture and relay user inputs without local Trojan assistant, which may possibly defeat CAPTCHA application; We argue visual security such as CAPTCHA alone is feeble in dealing with the phishing threat. II. M ODELS In our model, assuming users are always unconscious of security warning. We simply distinguish MITM attacks in Phishing into 2 types, they are distinguished by whether the hacker have interaction with legitimate server simultaneously during the login phase. • An Offline MITM Attack capture password based authentication passively, which the password is never changed. • An Online MITM Attack can even defeats 2nd factor OneTime-Password (OTP) authentication interactively, which the valid OTP is instantly relay to legitimate server. The adversaries can perform different type of MITM attack base on the authentication factors of the legitimate server: III. ATTACKS AND D EFENSES In this section, we will present a series of Attack and Defense to show both the power and limitation of CAPTCHA. For the attack involve human victim, we consider human user is unconscious and always ignore invalid CA cert warning. We will start by introducing the original idea of CAPTCHA and its known vulnerabilities. Then we will introduce a CAPTCHA like implementation of a Local bank which utilize the power of CAPTCHA to fight against keylogger and auto-bot login by it Scramble Num-Pad Login Applet. Followed by our CAPTCHA bypassing attack by exploit its implementation flaw.

(a) Login Page Fig. 1.

(b) Scrambled Number-pad.

Propertie of BEA Cyber Banking

We will show how RT-MITM attack can compromise a CAPTCHA plus 2nd Factor protection scenario. We found another type of Online MITM attack we named ControlRelaying MITM attack, which is not going to relay the victim creditential, instead, it relay the User Control to Hacker machine. A. CAPTCHA against Auto-bot BACKGROUND: Web services are abused by Auto-bot, for the availability of service to Human, we want to distinguish Human and AI to prevent abuse and spam. H YPOTHESIS • Hard AI problem such as Character Recognition can be easily done by Human but not auto-bot. • Applying AI problem during the authentication process, we can guarantee Human present at other side. P ROCEDURE • Define a Hard AI problem which human can solve but AI cannot, e.g. CAPTCHA. • Require human interaction before gain access to service. ACHIEVEMENT • Auto-bot cannot access to service without human. • In a worst case, without effective OCR, Brute force must be used G ENERALIZATION: Hard AI problem can resist auto-bot login (e.g. CAPTCHA). Hence can also resist brute force password guessing. W EAKNESS • It is vulnerable to human solver, and clever OCR. • It is relay-able, it risks suffer to RT-MITM attack. B. Local Bank fighting online threats BACKGROUND: With the increasing acceptability and convenient of online banking, the online threats targeting user creditentenial such as of keylogger and spyware are also raising. We use an example of a local bank(fig. 1a) to elaborate the use of CAPTCHA in fighting online threat.[15]1 P ROPERTIES • An onscreen Number-Pad for password input, it must be input by mouse clicking; The Number-Pad is formed by 10 images, and the positions of each number buttons will be scrambled(by refreshing applet or by pressing of ”Clear” button).(fig. 1b) • Resistance to both keylogger and mouse-logger, since no key has been typed, and the Number-pad is scramblized every times 1 Notes: Our experiment was done at May 8, 2008; New interface was released from the Bank of East Asia since July 24, 2008

that mouse position logging has no meaning. Hence it also resist to local Trojan attack without clever OCR. These CAPTCHA property can resist Auto-bot login, hence resist brute force password guessing P ROCEDURE • Design a password field in an applet only accept mouse click input on the Onscreen-Number-pad. • Number-pad is scrambled each time. • Applet output is encrypted by inputting bank public key inside applet plus a random number on a login page. ACHIEVEMENT • Neither keyboard or mouse loggers are able to capture user creditential. • With encryption algorithm, even with known password, local malicious program cannot produce predicted applet output, hence cannot bypass CAPTCHA applet easily. Auto-bot cannot login. G ENERALIZATION • Password authentication associate with image recognition by mouse input on scramble number pad is a hard AI problem depressing logger and spyware. • Guarantee human interaction in login system V ULNERABILITIES • The number-pad image is static which can be recognize by OCR easier than other CAPTCHA. • Both CAPTCHA and Password is relay-able and vulnerable to RT-MITM attack. • Java Applet is subject to decompilation and reverse engineering, leaking secure algorithm may risks beaching of system.

Fig. 2.

Fig. 3.





C. Bypass CAPTCHA Input System of BEA BACKGROUND: BEA Password Input System take advantage of CAPTCHA properties. However, careless implementations might make their CAPTCHA system to be bypassed or easily broken by OCR. In this section, we evaluate the CAPTCHA Input System of BEA by Reverse Engineering, and then propose an attack to bypass its CAPTCHA protection. P ROCEDURES AND P ROPERTIES OF BEA’ S CIS (fig. 2): Client connect Bank Server by HTTPS through browser, Server side use JAVA Servlet to generate dynamic page with Java Script for client browsing; Inside the Applet, its PIN text field is protected, which only accept key input from on-screen keyboard and moving Number-pad. In the source code of Login Page, there are essential input-parameters such as AcctNo, EncPINBlock and others used for encryption are stored in Hidden-Field; Input-parameters are further processed by Java-Applet named PINBoxApplet.class, which is included in webpin.jar downloaded from server and stored locally on the client. Finally, the Login Form will be submitted by POST submission method; H YPOTHESIS OF OUR ATTACK • Java Applet can be decompiled and analyzed, hence source code inside applet can be modified. • By Reverse Engineering, we found that PIN construction are separated in 2 java classes: PINBoxApplet class is for PIN string concatenation by Moving Number-pad, LogonApplet class is to generate encrypted PIN. The login Java Applet is designed to be reusable, it make its output unique by learning hidden parameters (Public Exponent, Modulus, Challenge) and use them to encrypt the user PIN input.





Login procedures of BEA.

PINBoxApplet: PIN string concatenation by Moving Number-pad.

In the submission procedure, we found that the user mouse inputs on CIS are finally transformed to string variable (pwdField) in PINBoxApplet class(fig. 3), and then pass to LogonApplet class for further PIN encryption. As LogonApplet accept plaintext password string input from PINBoxApplet. It can also accept any string input(fig. 4), it is possible to bypass CIS in PINBoxApplet, which the LogonApplet can be accessed directly to produce encrypted PIN. By modifying PIN passing algorithm in Java Applet, it is possible to allow password input without mouse clicking on Moving Number-pad, but still able to utilize the PIN encryption algorithm. Downloaded Java Applet is cached and stored in defined location by Java Control Panel (JCP). Although JCP will check the integrity of Downloaded Applet before run the cached Applet, however, if the Applet is intercepted and replaced by a modified one during it first download, there is nothing JCP can do 1 (fig. 5). Then the modified applet can exploit the PIN Encryption Java class as an input interface, it finally bypasses the Moving Number-pad algorithm, then input PIN string directly to PIN Encryption Java class. We will prove our concept by demonstrating an attack replacing the new Applet version by its older version.(fig. 6)

In summary, bypassing the CIS can be done in 2 stages: (1) Setup a Modified Applet which can bypass CIS; (2) Replace legitimate Applet by the Modified CIS bypassing Applet. ATTACK S ETUP • •

Analyze Login page of online Bank, download and decompile the Java Applet Password Input System named (webpin.jar). By modifying PIN passing algorithm in Java Applet(fig. 4). The modified Applet can allow password input without mouse clicking on Moving Number-pad (because LogonApplet accepts plaintext password string input), but still able to utilize the PIN encryption algorithm.

1 BEA

JavaApplet can be replaced by WebScarab[16]

Fig. 4. Procedure of PIN Encryption: LogonApplet accept plaintext password string input from PINBoxApplet.

Fig. 5.

Implementation of Java Applet Replacement Attack.

this work, we will show the CAPTCHA Input System of BEA will be defeated by RT-MITM even it implements the OTP 2nd factor authentication. Base on current implementation of BEA login system, plus a One-Time-Password input field using Scramble Number-pad. H YPOTHESIS • CAPTCHA images can be relayed and vulnerable to human solver, and victim himself is human and willing to solve the CAPTCHA for his login purpose. • Even further authenticate client by One-Time-Password, but OTP can also be relayed. If hacker gains ID, PIN and OTP, hacker can gain access to legitimate server simultaneously. P ROCEDURE • Hacker setup a Phishing website to phish for victim creditential. • Hacker server establish connection with legitimate server during phishing, and capture login screen. • The image of the scramble Number-pad is relayed to victim, mouse click positions are memorized. Those mouse clicks are regenerated on hacker server. • Hacker server submit captured ID, PIN and OTP to legitimate server simultaneously, access granted. G ENERALIZATION: As both CAPTCHA and OTP 2nd factor can be relayed, they can not defend RT-MITM attack. IV. F UTURE ATTACK

Fig. 6. Java Applet Replacement Attack: New version of Password Input System is replaced by its older version. Notes that (a) is the original, (b) is the Modified. CA certifications are still valid.

Use proxy (e.g. WebScarab[16]) to intercept the Applet downloaded from legitimate server, replaced by the modified Applet. By utilizing proxy interception, local Java Control Panel won’t be notified the modification, so that the modified Applet can be cached locally, and then pass checksum checking in the future1 . ATTACK P ROCEDURE • Hacker setup a Phishing website to phish for victim creditential. • Victim input ID and Password on phishing website. • Thought the modified CAPTCHA bypassing Applet, hacker can automate the password input relaying. • Hacker Applet submit victim’s ID and Password to the Bank, then gain access to online banking. C ONSEQUENCE : CAPTCHA access control and authentication protection is bypassed, hence hacker can reduce the cost of phishing as it can access to online banking directly by automated login without human assistant. G ENERALIZATION • The security of BEA CAPTCHA system is through obscurity, however, CAPTCHA implementation on Java Applet is subject to reverse engineering. • If CAPTCHA protection can be bypassed, hacker can perform automated login. •

D. Attack on BEA CAPTCHA Input System plus OTP protection by RT-MITM BACKGROUND AND P ROPERTIES: Assuming recent hacker with RT-MITM ability, where RT-MITM can defeat the 2nd factor authentication provided by One-Time-Password(OTP) secure token. In 1 Notes:

Java Control Panel will check the checksum of its cached Applet application before it runs on browser, which the checksum is compared to its recorded value at the status when the application was just downloaded.

In this section, we will introduce an attack that may become practical in the future, since the computational power and bandwidth of attacker and victim is generally raising which enable new attack vector delivery, visual scamming over network become practical and persuading nowadays. A. Derivative of Online-MITM attack The basic of MITM is to exploit a scenario that each ends are unable to authenticate other actually. The most secure way is a cryptography protection such as the use of CA certification with public key encryption which can authenticate atleast server side and secure the transaction over the paths between two ends. However due to the user general ignorance of CA certificate verification, it motivate the urge for security other then the promising CA certificate protection. As CAPTCHA discussed in the previous section, whatever how dynamic of the system or how hard a AI problem its create, we can’t authenticate remote party visually. Hopelessly, Trojan can always able to obfuscate our user visually. We found online-MITM attack is not limited to the described RTMITM published by Schneier[6] in 2005. We predict in the nearest future, it is possible for a hacker to employ something like Remote Terminal Service to perform a visual phishing scam. Imagine what is showing on our browser is actually a remote image located at remote site, we maybe convinced by visual outlooking. As we can do remote administration on browser with plugin just like using a VNC Java viewer[17], or even a newly invented light weight VNC Flash viewer [18], it is possible for attacker to conduct such visual MITM attack utilizing those applications. Detail will be described below. B. Attack CAPTCHA authentication system by CR-MITM We will introduce Control Relaying-Man In The Middle (CRMITM) attack, which the attacker may possibly defeat CAPTCHA authentication system as it take the favor of the rising computational





Fig. 7.

Control Relaying - Man-In-The-Middle Attack (CR-MITM)

The above is also true for Trojan compromised scenario, but our CRMITM attack can perform the same powerful visual attack without local Trojan assistant. G ENERALIZATION: •



Fig. 8.

Comparison between RT-MITM and CR-MITM

power and bandwidth in the future. This is a remote attack that can capture and relay user inputs without local Trojan assistant. (Fig. 8) The attack is started by develop a phishing webpage which is embedded a Remote Desktop Client (RDC) browser application; when victim visit hacker server, the RDC is downloaded, then the hacker server init a connection to bank server simultaneously. After hacker server downloads the login page on hacker’s browser, hacker starts it Remote Terminal Service (RTS) which project the hacker’s browser content to the RDC running on victim’s browser, the RTS allows the victim RDC takeovers the control of hacker browser.(Fig. 7) Since the victim input on CAPTCHA authentication system is processed directly on hacker’s browser in real time. After the bank server verify the user creditential, hacker then gain access to online banking. As this type of online MITM attack is not based on information relaying as described RT-MTIM, instead, the control privilege of hacker’s browser is relayed to victim, so it called Control RelayingMITM attack.(Fig. 8) C ONTRIBUTION: We contribute on extending the category of MITM attacks, as the power of CR-MITM attack is the same as trojan assisted RT-MITM attack, while CR-MITM can capture and relay user input without local trojan assistant. S ECURITY M ODEL CR-MITM is classified as an online-MITM attack, which has the ability of RT-MTIM, plus: • Hacker phishing server can employ a Remote Terminal Service, which can act as a Remote Desktop Server. • The phishing webpage has been embedded a Remote Desktop Client, which shows the browser visual content on hacker server to victim, and let the victim control the hacker site browser directly. • Victim control such as typing and mouse clicking are relayed to hacker server. No local Trojan assistant needed. ATTACK CAPTCHA SYSTEM BY CR-MITM H YPOTHESIS(Refer to figure 7.) • Since CAPTCHA authentication system’s visual interface can be relayed. It is possible to place an online-MITM attack at interface level.

As hacker’s browser init a connection to bank server simultaneously, the RTS can project hacker’s browser interface to the RDC downloaded on victim side. Unconscious victim views the CAPTCHA authentication system as downloaded locally, then answer to CAPTCHA Challenge. As CR-MITM attack can relay client control directly to hacker computer. After hacker browser submitted victim’s creditentials, access granted.

CAPTCHA authentication system can provide authentication but not the end to end confidentiality, it still risks suffer from MITM attack. CAPTCHA challenge can always be relayed, and to be solve by victim himself, as well as computer visual interface can always be relayed.

M ITIGATION: To mitigate CR-MITM, we can start from the root of problem. Generally, to avoid MITM we can use hardware or trusted platform to perform destination validation by mean of cryptographic. However, since customized hardware is always costly, and trusted platform is not widely employed still, so that we always look for a software solution even without client side installation. As the hypothesis of CR-MITM attack is base on victim conscious and visual interface relaying, if the design of application can depress visual interface relaying, it can possibly mitigate CR-MITM. We will discuss the mitigation techniques by the design of our E-CIS in our next work[19]. V. R ELATED W ORK The issue of Anti-Phishing is a board one, and there is a rich literature on detection of spoofed emails, toolbars notifier, and also education field, which will not be reviewed here. Yahoo [20] and Bank of America [7] have their own site identification solution, although their mechanisms are different, but both of them are used to enable user visual verification of remote server by seeing user’s familiar image or string. As the verifications are heavily depend on user conscious, user still risk suffer from MITM or even a Trojan attack. Dhamija, etal [9] presented an anti-phishing technique called Dynamic Security Skins, that allow remote server authenticate itself to client by matching unique image computed at client base on preshared secret, where the image is easy to be verified by human and hard to be spoofed. But they rely on host integrity, their approach require client side installation and key-distribution. Yee, etal [21] proposed a anti-phishing solution which the user even no need to remember site password and password will only be entered by Passpet browser plugin after domain verification, and the password is hashed and customized for each domain. However, it has a limitation that the auto-fill-in password is based on domain which risks suffer from pharming attack for non-SSL site. Sakikar, etal [22] presented a CAPTCHA solution which embed public key information inside CAPTCHA that client side can verify the public key as well as the destination server. However, if user is such unconscious, force validation is needed, their design requires client side installation. As their CAPTCHA challenges are customized for each user in database and create a specific image list pair for each client, it also further induce database storage issue for

growing number of customers, as well as client image list revoke or recovery issues after attack. Szydlowski, etal [11] proposed a Secure Web Input Application utilizing the idea of CAPTCHA for user input confidentiality and integrity against local malicious code. Their Input Application is used for transaction account confirmation, which is still suffer from human assisted attack. As hardware based solutions can always forcing validation, it is not comparable to visual solution. VI. C ONCLUSION In this work, we reviewed current Man-In-The-Middle(MITM) attacks which threatening online banking security, and how existing defense fail to protect our customer that even the hardware security token still risks suffer from RT-MITM attack. We introduced the use of CAPTCHA idea and its related application in online banking. Then we analysis on BEA’s CIS system, and proposed our CIS bypassing attack. We point out that CAPTCHA Input System implementation should be carefully designed. We proposed Control-Relaying(CR)-MITM attack, a remote attack as powerful as local trojan, which is possible to defeat CAPTCHA phishing protection in the future. In summary, our work demonstrated the limitation of CAPTCHA as well as visual security in securing online banking. As attack will never fall behind, the CAPTCHA idea for security is still worth to be developed. Our next work[19] is to design an Extended CAPTCHA Input System to depress phishing by utilizing the properties of CAPTCHA combining the time restriction of OneTime-Password. R EMARK : Our original work and figures can be founded in project homepage[19]. R EFERENCES [1] Bank of East Asia, “Case Study Cyberbanking by Bank of East Asia,” in Combating Phishing Attack - Challenges of phishing attack to banks. HKCERT: Combating Phishing Attacks Seminar, Dec 2004. [2] R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” in CHI ’06: Proceedings of the SIGCHI conference on Human Factors in computing systems. New York, NY, USA: ACM, 2006, pp. 581–590. [3] T. Register, “Hsbc forgets to renew its digital certificate,” Mar 2008. [4] HSBC, “Security device,” in HSBC Personal Financial Services. HSBC.com, HSBC home&Away Privilege Programme, 2005. [5] Federal Financial Institutions Examination Council, “FFIEC Releases Guidance on Authentication in Internet Banking Environment,” in FFIEC Press Release. The Federal Financial Institutions Examination Council, Oct 2005.

[6] B. Schneier, “Two-factor authentication: too little, too late,” Commun. ACM, vol. 48, no. 4, p. 136, 2005. [7] Bank of America, “Bank of america announces industry-leading security feature for its 13.2 million online banking customers to help prevent fraud and identity theft,” May 2005. [8] M. J. Christopher Soghoian, “A deceit-augmented mitm against bank of america’s sitekey service,” Oct 2007. [9] R. Dhamija and J. D. Tygar, “Phish and hips: Human interactive proofs to detect phishing attacks,” in In Human Interactive Proofs: Second International Workshop (HIP 2005, 2005, pp. 127–141. [10] L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, “Captcha: Using hard ai problems for security,” in EUROCRYPT, 2003, pp. 294–311. [11] M. Szydlowski, C. Kruegel, and E. Kirda, “Secure input for web applications,” in ACSAC, 2007, pp. 375–384. [12] W. Diffie and M. Hellman, “New directions in cryptography,” Information Theory, IEEE Transactions on, vol. 22, no. 6, pp. 644–654, Nov 1976. [13] W. Diffie, P. C. V. Oorschot, and M. J. Wiener, “Authentication and authenticated key exchanges,” Des. Codes Cryptography, vol. 2, no. 2, pp. 107–125, 1992. [14] M. Jakobsson and S. Myers, “Delayed password disclosure,” in DIM ’07: Proceedings of the 2007 ACM workshop on Digital identity management. New York, NY, USA: ACM, 2007, pp. 17–26. [15] C.-M. Leung, “Security analysis of banking Login System Scenario of Bank of East Asia - Cyberbanking Logon,” CM Leung research webpage, Nov. 2008. [Online]. Available: http: //sites.google.com/site/lcmkov/ [16] OWASP, “Webscarab project,” Open Web Application Security Project website, last visited at 18/12/2008. [Online]. Available: http: //www.owasp.org/index.php/Category:OWASP WebScarab Project [17] At&t Lab, Cambridge, “Vncviewer for java,” AT&T Laboratories Cambridge, 1999. [Online]. Available: http://www.hep.phy.cam.ac.uk/ vnc docs/javavncviewer.html [18] M. FUCCI, “Flashlight-vnc open source vnc viewer / player written in flash,” Marco Fucci - FlashLight-VNC, June 2008. [Online]. Available: http://www.wizhelp.com/flashlight-vnc/index.html [19] C.-M. Leung, “Depress phishing by CAPTCHA with OTP,” in ICASID’09: IEEE International Conference on Anti-counterfeiting, Security, and Identification in Communication. IEEE, Aug. 2009. [Online]. Available: http://sites.google.com/site/lcmkov/ [20] Yahoo!Inc., “What is a sign-in seal,” in Yahoo Security Center. Yahoo.com, Yahoo Security Center, Aug 2006. [21] K.-P. Yee and K. Sitaker, “Passpet: convenient password management and phishing protection,” in SOUPS ’06: Proceedings of the second symposium on Usable privacy and security. New York, NY, USA: ACM, 2006, pp. 32–43. [22] S. Saklikar and S. Saha, “Public key-embedded graphic captchas,” Consumer Communications and Networking Conference, 2008. CCNC 2008. 5th IEEE, pp. 262–266, 10-12 Jan. 2008.

Visual security is feeble for Anti-Phishing

etal. combine the use of Digital Signature and random number to authenticate each parties. This lesson telling the fact that a secure protocol without actual ...
Download PDF
835KB Sizes 1 Downloads 155 Views
Report

Recommend Documents

Visual security is feeble for Anti-Phishing
Abstract—Addressing recent online banking threats, the banking industry offers us ... hunting for free AOL account, phishing is having a increasing tendency over the years. ..... [16] OWASP, “Webscarab project,” Open Web Application Security.
Why Security Testing Is Hard - CiteSeerX
some other action (which we'll call. C)? If C were .... lowing three key questions:1. • What fault would have ..... Security testing has a long way to go. It's clear that ...
Is finding security holes a good idea?
The Full Disclosure [1] mailing list, dedicated to the discussion of ... on personal computer systems. Moreover, such studies typically focus on all faults, not on security vulnerabili- ties. ... that it is of course possible for an advisory to be re
Is finding security holes a good idea?
improvement—the data does not allow us to exclude the possibility that ..... been a recording error (e.g. through external knowledge) ...... into recovering from the vulnerabilities that are found, through ... regular service releases with patches
Gathering Evidence: Use of Visual Security Cues in ...
rarely used, and that people stop looking for security .... used when carrying out the tasks in Phase 2. Partici ..... scribe certificate information in a meaningful way.
Security-Oriented Picture-In-Picture Visual Modifications
The corners of candidate regions are thus the pixels in im- ages where the maximum accumulation of edge points on horizontal and vertical directions are found. Other methods make an even more rough use of the prior knowledge of the rules driving the
Microsoft Visual Basic WHAT IS IT? General ...
which is a program that uses a simple database, in addition to the abundance of .... (Windows, Unix / Linux or Mac), without modifying either the structure or.
visual information anticipatory action is modulated by ...
Mar 22, 2011 - http://jn.physiology.org/content/105/3/1122.full.html#ref-list-1 including high resolution figures, can be found at: ... of Psychology, University of Queensland, Queensland, Australia; and 3Department of Psychology, University of Warwi
Temporal Filtering of Visual Speech for Audio-Visual ...
performance for clean and noisy images but also audio-visual speech recognition ..... [4] Ross, L. A., Saint-Amour, D., Leavitt, V. M., Foxe, J. J. Do you see what I ...
Internet Explorer security: is there any hope?
Jan 2, 2005 - inability to make it secure, is making people switch. E. Eugene .... Web page or HTML email message to ... er clicks on a link to a Web site con-.
Security Window Tint Is Very Effective On Impact.pdf
Whoops! There was a problem loading more pages. Retrying... Whoops! There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Security Window Tint Is Very Effective O
TDM-PON Security Issues: Upstream Encryption is ...
TDM-PON Security Issues: Upstream Encryption is Needed. David Gutierrez, Jinwoo Cho and Leonid G. Kazovsky. Photonics and Networking Research Laboratory, Stanford University,. 058 Packard Building, Stanford, California 94305, USA [email protected]. A
why-the-establishment-of-business-security-systems-is-important.pdf
why-the-establishment-of-business-security-systems-is-important.pdf. why-the-establishment-of-business-security-systems-is-important.pdf. Open. Extract.
How Windows is using hardware to improve security - BlueHat IL
Terminate process if invalid target. Indirect. Call. Kernel Control Flow Guard improves protection against control flow hijacking for kernel code. Paired with HVCI to ensure both code integrity and control flow integrity. OSR REDTEAM targeted kCFG bi
why-the-establishment-of-business-security-systems-is-important.pdf
why-the-establishment-of-business-security-systems-is-important.pdf. why-the-establishment-of-business-security-systems-is-important.pdf. Open. Extract.
Is finding security holes a good idea?
The Full Disclosure [1] mailing list, dedicated to .... Thus, the defender needs to work much harder than a dedicated attacker ..... Oracle9i Application Server. 20.
Google Web Security for Enterprise
... known malware threats, including malware “phone-home” communications. ... through a graphical dashboard, real-time rules-based filters, and a best-in-class.
OSDI insert for Security - Usenix
Nov 5, 2006 - Online pre-registration deadline: October 23, 2006. Register online at ... HOTEL INFORMATION ... PROGRAM CO-CHAIRS. David Andersen, Carnegie Mellon University ... Dina Katabi, Massachusetts Institute of Technology.
Google Web Security for Enterprise
Google Web Security for Enterprise Enforces Policy and Protects All Users. What Google Web ... document hosting and collaboration),. Google Page Creator ...
Google Web Security for Enterprise
lists, providing you with dynamic and multi-layered protection. Google Web Security for Enterprise is ... schools, colleges, and universities) and Premier Edition ...
OSDI insert for Security - Usenix
Nov 5, 2006 - Mike Afergan, Akamai. Mike Dahlin, University of Texas, Austin. Marc Fiuczynski, Princeton University. Michael Freedman, New York University.