Security Flaw in eBanking Affects Over 100 Million Users

Tuesday, February 14, 2012

Alan Woodward

01ceb9281b3fb3dbb90c3efbe327717e

I sometimes find myself slightly irrated by having to prove that I am a human online, most often by using the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAs). 

You've all had to use them at some point: those funny, distorted versions of a piece of text that only a human can decipher.

I content myself with the fact that these do provide a degree of security against web bots, and that maybe my irritation is more to do with my eyesight than anything else.  And, so, I have lived with this sense of security for some time.

I then noticed that CAPTCHAs were being used by some financial institutions, in some cases as part of a transaction verification process, which I assumed was again for protection against automated attack.  Although not common in the UK, various banks in countries such as US, Germany, China and Switzerland make extensive use of CAPTCHAs. 

And, this is not just a few banks. These are potentially used by over a hundred million customers.  The use in eBanking made me wonder just how vulnerable they were to attack: is it only a human that can decipher them.  Would a computer not be just as good as a myopic Professor? 

I was shocked when my friend Dr Shujun Li told me that not only were CAPTCHAs vulnerable but that he had demonstrated how you could successfully attack nearly 100% of those he had found in eBanking.

(click image to enlarge)

image

So, how does the attack work?  By combining a series of image and text processing techniques that have been know for a long time. 

Specifically:  

  1. Segment objects from a CAPTCHA image
  2. Image processing for removing noises/decoy objects and refining shapes of segmentation
  3. Detect random grid lines used in some e-banking CAPTCHA schemes
  4. Image inpainting for removing unwanted objects from a CAPTCHA image
  5. Character segmentation for extracting characters from a CAPTCHA image
  6. Character recognition for recognizing characters in a CAPTCHA image

(click image to enlarge)

Breaking_eBanking_CAPTCHAs

Hence, having recovered the text from the CAPTCHA presented as, say, part of a transaction verification process, a piece of malware could simply transfer that text to the required section of the banks web page and thus appear to be a valid human. 

Obviously this form of forging CAPTCHAs has to be used in particular attack scenarios but these were tried and succeeded. A piece of malware would have conduct a man-in-the-middle attack, which are still quite rare but gaining a foothold.  For a full description of the attack scenarios go read the paper

The attack was tested against a large range of eBanking systems and the results show quite conclusively that effectively 100% could be compromised. When this attack was run using a standard laptop one attack scenario took only 150ms to complete successfully. 

Hence, a computer cannot only do what a myopic Professor can, it can do it a lot faster.  Imagine this in an automated mass-attack. Imagine a trojan that was on machines in, for example, China where it stole a few pennies from millions of customers. 

Imagine what the bank's response might be. Might the bank not be tempted to say that it must have been a human that was involved and hence you must have revealed your password. After all, it can't have been a machine because of the CAPTCHA process.  

But, the thing that disturbs me a lot more is that Dr Li did this research some considerable time ago, and it was published, and he told those affected, yet those very same financial institutions continue to use this method. 

I don't intend to say who those institutions are here, but if you are such an institution please take note of this research and move to something like hardware/two-part authentication.  Nothing is perfect, but it is clear that CAPTCHAs are not the answer.  

Cross-posted from Professor Alan Woodward

Possibly Related Articles:
9339
Webappsec->General
Information Security
Authentication Trojans Research Vulnerabilities Attacks Financial hackers eBanking Alan Woodward CAPTCHA Shujun Li
Post Rating I Like this!
Default-avatar
Kenneth Swick I agree it shouldn't be used for verifying transactions. But where I see it used is to slow down account harvesting or other scripted attacks. Though seeing that 150ms number really makes me question that logic now...
1329248488
Bdd51d7429452e8653120e433ee0986a
Andrian Todorov Same problem should have a lot of other sites.
1331116850
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.