Authentication and authenticated key exchanges
Designs, Codes and Cryptography
Two-factor authentication: too little, too late
Communications of the ACM - Transforming China
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Proceedings of the 2007 ACM workshop on Digital identity management
Depress phishing by CAPTCHA with OTP
ASID'09 Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication
CAPTCHA: using hard AI problems for security
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Phish and HIPs: human interactive proofs to detect phishing attacks
HIP'05 Proceedings of the Second international conference on Human Interactive Proofs
Depress phishing by CAPTCHA with OTP
ASID'09 Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication
Geo-location based QR-Code authentication scheme to defeat active real-time phishing attack
Proceedings of the 2013 ACM workshop on Digital identity management
Hi-index | 0.00 |
Addressing recent online banking threats, the banking industry offers us several solutions for our safety online banking experience, however those solutions may not finally secure the users under the rising threats. The main challenges are how to enable safe online banking on a compromised host, and solving the general ignorance of security warning. CAPTCHA is primarily used to anti bot automated login, also, CAPTCHA base application can further provides secure PIN input against keylogger and mouse-logger for Bank's customer[1]. Assuming users are always unconscious of security warning in our model, we have designed a series of attacks and defenses under this interesting condition. In this work, we will start by formalizing a security defense utilizing CAPCTCHA, its limitations are analyzed; Then, we will attack a local bank employing CAPTCHA solution, which we show how its can be bypassed from its vulnerability in its implementation. We further introduce - Control-Relaying Man-In-The-Middle(CR-MITM) attack, a remote attack just like a Remote Terminal Service that can capture and relay user inputs without local Trojan assistant, which is possible to defeat CAPTCHA phishing protection in the future. Under our model, we conclude, visual security defense alone is feeble for anti-phishing.