Visual security is feeble for Anti-Phishing
Chun-Ming Leung
Department of Information Engineering
The Chinese University of Hong Kong
Shatin, N. T., Hong Kong
lcm007@ie.cuhk.edu.hk
Abstract—Addressing recent online banking threats, the banking
industry offers us several solutions for our safety online banking
experience, however those solutions may not finally secure the users
under the rising threats. The main challenges are how to enable safe
online banking on a compromised host, and solving the general ignorance
of security warning.
CAPTCHA is primarily used to anti bot automated login, also,
CAPTCHA base application can further provides secure PIN input
against keylogger and mouse-logger for Bank’s customer[1].
Assuming users are always unconscious of security warning in our
model, we have designed a series of attacks and defenses under this
interesting condition.
In this work, we will start by formalizing a security defense utilizing
CAPCTCHA, its limitations are analyzed; Then, we will attack a local
bank employing CAPTCHA solution, which we show how its can
be bypassed from its vulnerability in its implementation. We further
introduce - Control-Relaying Man-In-The-Middle(CR-MITM) attack, a
remote attack just like a Remote Terminal Service that can capture and
relay user inputs without local Trojan assistant, which is possible to
defeat CAPTCHA phishing protection in the future.
Under our model, we conclude, visual security defense alone is feeble
for anti-phishing.
Keywords- Phishing; Man-In-The-Middle (MITM); CAPTCHA;
Authentication; Implementation Flaw; Online Banking
I. I NTRODUCTION
Since the first phishing term was record at 1996 which was
hunting for free AOL account, phishing is having a increasing
tendency over the years. It then evolutes to financial fraud quickly, as
the criminals are always aim for high yield. Luckily, with the pursuit
of online banking, the banking industry is always motivated to play
a leading role in fighting phishing threat. However, the reported loss
to Internet Crime such as phishing has broken its record each year,
which was up to US$239 Million lost in 2007. It is telling us that
we are still looking for a better solution.
To confirm a destination it claim to be, the most trustworthy
technique is the use of Digital Certificate, which the certification
binding its public key together with an identity. The banking industry
started to implement Digital Certificates in 2002, however, this
trustful solution is always ignored by user [2]. An incident of HSBC
on 4th March 2008, that one of the world biggest bank has forgotten
to renew its Digital Certificate [3], but it claimed its online banking
for their customers still not affected. As we can imagine how many
users ignored the warning of invalid Digital Certificate and had their
online banking as usual in that day.
Notice that the Digital Certificates solution is a one-way authen-
tication of the bank, customers are rarely have their own Digital
Certificates. Obviously, the identity of customer is still threatened
by identity theft (e.g. Keylogger on infected machine) as since the
old age.
In 2005, One-Time-Password(OTP) based Two-factor authenti-
cation solution - Secure Token was delivered to bank customer
[4] to fight against keylogger and phishing. As the worldwide
encouragement of Two-factor authentication in the same year[5],
the phishing technique is also evolving, Secure Token was found
vulnerable to Real-Time Man-In-The-Middle(RT-MITM) Attack[6]
in 2005. For the fall of Secure Token by RT-MITM, we will describe
it in the later section.
Beside of authenticate the user, there is also needed to authenticate
the bank. Bank of America(BoA) tried to take a leading role in
fighting phishing, In 2005, BoA firstly role out SiteKey [7] to address
the issue, which was originally invented by RSA lab. However, the
SiteKey was doubted it can achieves its target [8], since it obviously
risks suffer from MITM attack.
Recently, the idea of Human Interactive Proof(HIP) is used to
fight against phishing [9]. There is an CAPTCHA application used
in online Banking[1], however, the application may not achieves its
initial goal when facing the rising threat of phishing techniques such
as RT-MITM.
In this paper, start by attacking the careless CAPTCHA imple-
mentation of BEA online banking, we argue CAPTCHA alone is
not a panacea in dealing with the phishing threat. In the coming
section, we will have a detail analysis on these issues.
A. CAPTCHA - Completely Automated Public Turing test to tell
Computers and Humans Apart
The base of CAPTCHA is to use hard AI problem to distinguish
Human and bot apart [10] which was originally evolved from Visual
authentication and identification.
The primary use of CAPTCHA is to fight against auto-bot in
Account Registration and Click Fraud.
Since the mature cryptographic techniques are ineffectual when
facing user ignorance[2], there are a tend of applying CAPTCHA
ideas in Phishing defense [11], [1], detail see related work.
In fact, visual human verifiable techniques(e.g. SiteKey[7])
are vulnerable to MITM attack[8]. Also, careless CAPTCHA
implementation[1] can leads the application fail to achieve its
mission.
In the rest of sections, we will demonstrate how to break an
application[1] by exploiting its implementation flaw.
B. Man-In-The-Middle Attack
In history, the earliest Man-In-The-Middle(MITM) Attack is a
cryptographic term, where MITM has the following abilities:
1) Eavesdrops and Intercepts all messages going between the
victims;
2) Relays messages between them.
In short, MITM attack make the victims believe that they are directly
talking to each other in a direct connection without indicate the
existence of middle man.
One famous MITM attack on cryptographic Public Key Infras-
tructure(PKI) algorithm is the attack on initial version of Diffie-
Hellman algorithm[12] in 1976, which the secure parameters g x g y
exchanged have no actual authentication mean, such that risk suffer
from MITM attack. The attack scenario was also well described on
the publication of it advanced Authenticated Key Exchange(AKE)
version[13]. Which in the AKE version of DH algorithm, Diffie
etal. combine the use of Digital Signature and random number to
authenticate each parties. This lesson telling the fact that a secure
protocol without actual authentication will risks suffer from MITM
attack.
MITM can be at user interface layer visually, Schneier [6]
described a RT-MITM attack at user interface layer in 2005, which
can defeat 2 factor secure token: An attacker setup a fake bank
website, and entices a user to that website just like Phishing. When (a) Login Page (b) Scrambled Number-pad.
user types his ID, password, including the 2nd factor (e.g. security
Fig. 1. Propertie of BEA Cyber Banking
token), then the attacker uses it to access the legitimate bank’s
website simultaneously. The scenario is also true for attacking SMS
challenge code, as victim can type the code on phishing site, it can
We will show how RT-MITM attack can compromise a
be relayed. The protection of the 2nd factor becomes nothing to this
CAPTCHA plus 2nd Factor protection scenario.
kind of online active attacker. The attack is classified as an Online
We found another type of Online MITM attack we named Control-
Doppelganger Attack[14] to further distinguish this type of relaying
Relaying MITM attack, which is not going to relay the victim
attack between the traditional cryptographic MITM attack.
creditential, instead, it relay the User Control to Hacker machine.
In this paper, we will analyze the abilities of current anti-phishing
solutions against the most recent internet security threats. A. CAPTCHA against Auto-bot
C. Our contribution BACKGROUND: Web services are abused by Auto-bot, for the
availability of service to Human, we want to distinguish Human and
In this paper, we make the following contributions:
AI to prevent abuse and spam.
1) Current CAPTCHA solutions used against phishing are ana- H YPOTHESIS
lyzed;
• Hard AI problem such as Character Recognition can be easily
2) Demonstrate an attack on a careless CAPTCHA implemen-
done by Human but not auto-bot.
tation of a Local Online Banking, which the CAPTCHA
• Applying AI problem during the authentication process, we can
challenege can be bypassed;
guarantee Human present at other side.
3) Future attack - Control-Relaying Man-In-The-Middle(CR-
MITM) attack, a remote attack that can capture and relay P ROCEDURE
user inputs without local Trojan assistant, which may possibly • Define a Hard AI problem which human can solve but AI

defeat CAPTCHA application; cannot, e.g. CAPTCHA.

We argue visual security such as CAPTCHA alone is feeble in
dealing with the phishing threat.
II. M ODELS
In our model, assuming users are always unconscious of security
warning.
We simply distinguish MITM attacks in Phishing into 2 types,
they are distinguished by whether the hacker have interaction with
legitimate server simultaneously during the login phase.
• An Offline MITM Attack capture password based authentica-
tion passively, which the password is never changed.
• An Online MITM Attack can even defeats 2nd factor One-
Time-Password (OTP) authentication interactively, which the
valid OTP is instantly relay to legitimate server.
The adversaries can perform different type of MITM attack base on
the authentication factors of the legitimate server:
III. ATTACKS AND D EFENSES
In this section, we will present a series of Attack and Defense to
show both the power and limitation of CAPTCHA. For the attack
involve human victim, we consider human user is unconscious and
always ignore invalid CA cert warning.
We will start by introducing the original idea of CAPTCHA and
its known vulnerabilities. Then we will introduce a CAPTCHA
like implementation of a Local bank which utilize the power of
CAPTCHA to fight against keylogger and auto-bot login by it
Scramble Num-Pad Login Applet. Followed by our CAPTCHA
bypassing attack by exploit its implementation flaw.
• Require human interaction before gain access to service.
ACHIEVEMENT
• Auto-bot cannot access to service without human.
• In a worst case, without effective OCR, Brute force must be
used
G ENERALIZATION: Hard AI problem can resist auto-bot login
(e.g. CAPTCHA). Hence can also resist brute force password
guessing.
W EAKNESS
• It is vulnerable to human solver, and clever OCR.
• It is relay-able, it risks suffer to RT-MITM attack.
B. Local Bank fighting online threats
BACKGROUND: With the increasing acceptability and convenient
of online banking, the online threats targeting user creditentenial
such as of keylogger and spyware are also raising. We use an
example of a local bank(fig. 1a) to elaborate the use of CAPTCHA
in fighting online threat.[15]1
P ROPERTIES
• An onscreen Number-Pad for password input, it must be input
by mouse clicking; The Number-Pad is formed by 10 images,
and the positions of each number buttons will be scrambled(by
refreshing applet or by pressing of ”Clear” button).(fig. 1b)
• Resistance to both keylogger and mouse-logger, since no key
has been typed, and the Number-pad is scramblized every times
1 Notes: Our experiment was done at May 8, 2008; New interface was
released from the Bank of East Asia since July 24, 2008
 that mouse position logging has no meaning. Hence it also resist
to local Trojan attack without clever OCR.
These CAPTCHA property can resist Auto-bot login, hence resist
brute force password guessing
P ROCEDURE
• Design a password field in an applet only accept mouse click
input on the Onscreen-Number-pad.
• Number-pad is scrambled each time.
• Applet output is encrypted by inputting bank public key inside
applet plus a random number on a login page.
ACHIEVEMENT
Fig. 2. Login procedures of BEA.
• Neither keyboard or mouse loggers are able to capture user
creditential.
• With encryption algorithm, even with known password, local
malicious program cannot produce predicted applet output,
hence cannot bypass CAPTCHA applet easily. Auto-bot cannot
login.
G ENERALIZATION
• Password authentication associate with image recognition by
mouse input on scramble number pad is a hard AI problem
depressing logger and spyware. Fig. 3. PINBoxApplet: PIN string concatenation by Moving Number-pad.
• Guarantee human interaction in login system

V ULNERABILITIES
• The number-pad image is static which can be recognize by
OCR easier than other CAPTCHA.
• Both CAPTCHA and Password is relay-able and vulnerable to
RT-MITM attack.
• Java Applet is subject to decompilation and reverse engineering,
leaking secure algorithm may risks beaching of system.
C. Bypass CAPTCHA Input System of BEA
BACKGROUND: BEA Password Input System take advantage of
CAPTCHA properties. However, careless implementations might
make their CAPTCHA system to be bypassed or easily broken by
OCR. In this section, we evaluate the CAPTCHA Input System of
BEA by Reverse Engineering, and then propose an attack to bypass
its CAPTCHA protection.
P ROCEDURES AND P ROPERTIES OF BEA’ S CIS (fig. 2):
Client connect Bank Server by HTTPS through browser, Server side
use JAVA Servlet to generate dynamic page with Java Script for
client browsing; Inside the Applet, its PIN text field is protected,
which only accept key input from on-screen keyboard and moving
Number-pad. In the source code of Login Page, there are essential
input-parameters such as AcctNo, EncPINBlock and others used
for encryption are stored in Hidden-Field; Input-parameters are
further processed by Java-Applet named PINBoxApplet.class, which
is included in webpin.jar downloaded from server and stored locally
on the client. Finally, the Login Form will be submitted by POST
submission method;
H YPOTHESIS OF OUR ATTACK
• Java Applet can be decompiled and analyzed, hence source code
inside applet can be modified.
• By Reverse Engineering, we found that PIN construction are
separated in 2 java classes: PINBoxApplet class is for PIN
string concatenation by Moving Number-pad, LogonApplet
class is to generate encrypted PIN.
The login Java Applet is designed to be reusable, it make its
output unique by learning hidden parameters (Public Exponent,
Modulus, Challenge) and use them to encrypt the user PIN
input.
• In the submission procedure, we found that the user mouse in-
puts on CIS are finally transformed to string variable (pwdField)
in PINBoxApplet class(fig. 3), and then pass to LogonApplet
class for further PIN encryption.
• As LogonApplet accept plaintext password string input from
PINBoxApplet. It can also accept any string input(fig. 4),
it is possible to bypass CIS in PINBoxApplet, which the
LogonApplet can be accessed directly to produce encrypted
PIN.
• By modifying PIN passing algorithm in Java Applet, it is
possible to allow password input without mouse clicking on
Moving Number-pad, but still able to utilize the PIN encryption
algorithm.
• Downloaded Java Applet is cached and stored in defined
location by Java Control Panel (JCP). Although JCP will check
the integrity of Downloaded Applet before run the cached
Applet, however, if the Applet is intercepted and replaced
by a modified one during it first download, there is nothing
JCP can do 1 (fig. 5). Then the modified applet can exploit
the PIN Encryption Java class as an input interface, it finally
bypasses the Moving Number-pad algorithm, then input PIN
string directly to PIN Encryption Java class.
We will prove our concept by demonstrating an attack replacing
the new Applet version by its older version.(fig. 6)
In summary, bypassing the CIS can be done in 2 stages: (1) Setup
a Modified Applet which can bypass CIS; (2) Replace legitimate
Applet by the Modified CIS bypassing Applet.
ATTACK S ETUP
• Analyze Login page of online Bank, download and decompile
the Java Applet Password Input System named (webpin.jar).
• By modifying PIN passing algorithm in Java Applet(fig. 4).
The modified Applet can allow password input without mouse
clicking on Moving Number-pad (because LogonApplet accepts
plaintext password string input), but still able to utilize the PIN
encryption algorithm.
1 BEA JavaApplet can be replaced by WebScarab[16]

Fig. 4. Procedure of PIN Encryption: LogonApplet accept plaintext
password string input from PINBoxApplet.
Fig. 5. Implementation of Java Applet Replacement Attack.
Fig. 6. Java Applet Replacement Attack: New version of Password Input
System is replaced by its older version. Notes that (a) is the original, (b) is
the Modified. CA certifications are still valid.
• Use proxy (e.g. WebScarab[16]) to intercept the Applet down-
loaded from legitimate server, replaced by the modified Applet.
By utilizing proxy interception, local Java Control Panel won’t
be notified the modification, so that the modified Applet can be
cached locally, and then pass checksum checking in the future1 .
ATTACK P ROCEDURE
• Hacker setup a Phishing website to phish for victim creditential.
• Victim input ID and Password on phishing website.
• Thought the modified CAPTCHA bypassing Applet, hacker can
automate the password input relaying.
• Hacker Applet submit victim’s ID and Password to the Bank,
then gain access to online banking.
C ONSEQUENCE : CAPTCHA access control and authentication
protection is bypassed, hence hacker can reduce the cost of phishing
as it can access to online banking directly by automated login
without human assistant.
G ENERALIZATION
• The security of BEA CAPTCHA system is through obscurity,
however, CAPTCHA implementation on Java Applet is subject
to reverse engineering.
• If CAPTCHA protection can be bypassed, hacker can perform
automated login.
D. Attack on BEA CAPTCHA Input System plus OTP protection
by RT-MITM
BACKGROUND AND P ROPERTIES: Assuming recent hacker with
RT-MITM ability, where RT-MITM can defeat the 2nd factor au-
thentication provided by One-Time-Password(OTP) secure token. In
1 Notes: Java Control Panel will check the checksum of its cached Applet
application before it runs on browser, which the checksum is compared to
its recorded value at the status when the application was just downloaded.
this work, we will show the CAPTCHA Input System of BEA will
be defeated by RT-MITM even it implements the OTP 2nd factor au-
thentication. Base on current implementation of BEA login system,
plus a One-Time-Password input field using Scramble Number-pad.
H YPOTHESIS
• CAPTCHA images can be relayed and vulnerable to human
solver, and victim himself is human and willing to solve the
CAPTCHA for his login purpose.
• Even further authenticate client by One-Time-Password, but
OTP can also be relayed.
If hacker gains ID, PIN and OTP, hacker can gain access to legitimate
server simultaneously.
P ROCEDURE
• Hacker setup a Phishing website to phish for victim creditential.
• Hacker server establish connection with legitimate server during
phishing, and capture login screen.
• The image of the scramble Number-pad is relayed to victim,
mouse click positions are memorized. Those mouse clicks are
regenerated on hacker server.
• Hacker server submit captured ID, PIN and OTP to legitimate
server simultaneously, access granted.
G ENERALIZATION: As both CAPTCHA and OTP 2nd factor can
be relayed, they can not defend RT-MITM attack.
IV. F UTURE ATTACK
In this section, we will introduce an attack that may become
practical in the future, since the computational power and bandwidth
of attacker and victim is generally raising which enable new attack
vector delivery, visual scamming over network become practical and
persuading nowadays.
A. Derivative of Online-MITM attack
The basic of MITM is to exploit a scenario that each ends are
unable to authenticate other actually. The most secure way is a
cryptography protection such as the use of CA certification with
public key encryption which can authenticate atleast server side and
secure the transaction over the paths between two ends. However
due to the user general ignorance of CA certificate verification, it
motivate the urge for security other then the promising CA certificate
protection.
As CAPTCHA discussed in the previous section, whatever how
dynamic of the system or how hard a AI problem its create, we can’t
authenticate remote party visually. Hopelessly, Trojan can always
able to obfuscate our user visually.
We found online-MITM attack is not limited to the described RT-
MITM published by Schneier[6] in 2005. We predict in the nearest
future, it is possible for a hacker to employ something like Remote
Terminal Service to perform a visual phishing scam. Imagine what
is showing on our browser is actually a remote image located at
remote site, we maybe convinced by visual outlooking. As we can
do remote administration on browser with plugin just like using a
VNC Java viewer[17], or even a newly invented light weight VNC
Flash viewer [18], it is possible for attacker to conduct such visual
MITM attack utilizing those applications. Detail will be described
below.
B. Attack CAPTCHA authentication system by CR-MITM
We will introduce Control Relaying-Man In The Middle (CR-
MITM) attack, which the attacker may possibly defeat CAPTCHA
authentication system as it take the favor of the rising computational

Fig. 7. Control Relaying - Man-In-The-Middle Attack (CR-MITM)
Fig. 8. Comparison between RT-MITM and CR-MITM
power and bandwidth in the future. This is a remote attack that can
capture and relay user inputs without local Trojan assistant. (Fig. 8)
The attack is started by develop a phishing webpage which is
embedded a Remote Desktop Client (RDC) browser application;
when victim visit hacker server, the RDC is downloaded, then
the hacker server init a connection to bank server simultaneously.
After hacker server downloads the login page on hacker’s browser,
hacker starts it Remote Terminal Service (RTS) which project the
hacker’s browser content to the RDC running on victim’s browser,
the RTS allows the victim RDC takeovers the control of hacker
browser.(Fig. 7)
Since the victim input on CAPTCHA authentication system is
processed directly on hacker’s browser in real time. After the bank
server verify the user creditential, hacker then gain access to online
banking.
As this type of online MITM attack is not based on information
relaying as described RT-MTIM, instead, the control privilege of
hacker’s browser is relayed to victim, so it called Control Relaying-
MITM attack.(Fig. 8)
C ONTRIBUTION: We contribute on extending the category of
MITM attacks, as the power of CR-MITM attack is the same as
trojan assisted RT-MITM attack, while CR-MITM can capture and
relay user input without local trojan assistant.
S ECURITY M ODEL
CR-MITM is classified as an online-MITM attack, which has the
ability of RT-MTIM, plus:
• Hacker phishing server can employ a Remote Terminal Service,
which can act as a Remote Desktop Server.
• The phishing webpage has been embedded a Remote Desktop
Client, which shows the browser visual content on hacker server
to victim, and let the victim control the hacker site browser
directly.
• Victim control such as typing and mouse clicking are relayed
to hacker server. No local Trojan assistant needed.
ATTACK CAPTCHA SYSTEM BY CR-MITM
H YPOTHESIS(Refer to figure 7.)
• Since CAPTCHA authentication system’s visual interface can
be relayed. It is possible to place an online-MITM attack at
interface level.
• As hacker’s browser init a connection to bank server simulta-
neously, the RTS can project hacker’s browser interface to the
RDC downloaded on victim side. Unconscious victim views the
CAPTCHA authentication system as downloaded locally, then
answer to CAPTCHA Challenge.
• As CR-MITM attack can relay client control directly to hacker
computer. After hacker browser submitted victim’s creditentials,
access granted.
The above is also true for Trojan compromised scenario, but our CR-
MITM attack can perform the same powerful visual attack without
local Trojan assistant.
G ENERALIZATION:
• CAPTCHA authentication system can provide authentication
but not the end to end confidentiality, it still risks suffer from
MITM attack.
• CAPTCHA challenge can always be relayed, and to be solve by
victim himself, as well as computer visual interface can always
be relayed.
M ITIGATION:
To mitigate CR-MITM, we can start from the root of problem. Gen-
erally, to avoid MITM we can use hardware or trusted platform to
perform destination validation by mean of cryptographic. However,
since customized hardware is always costly, and trusted platform is
not widely employed still, so that we always look for a software
solution even without client side installation.
As the hypothesis of CR-MITM attack is base on victim conscious
and visual interface relaying, if the design of application can depress
visual interface relaying, it can possibly mitigate CR-MITM. We will
discuss the mitigation techniques by the design of our E-CIS in our
next work[19].
V. R ELATED W ORK
The issue of Anti-Phishing is a board one, and there is a rich
literature on detection of spoofed emails, toolbars notifier, and also
education field, which will not be reviewed here.
Yahoo [20] and Bank of America [7] have their own site identi-
fication solution, although their mechanisms are different, but both
of them are used to enable user visual verification of remote server
by seeing user’s familiar image or string. As the verifications are
heavily depend on user conscious, user still risk suffer from MITM
or even a Trojan attack.
Dhamija, etal [9] presented an anti-phishing technique called
Dynamic Security Skins, that allow remote server authenticate itself
to client by matching unique image computed at client base on pre-
shared secret, where the image is easy to be verified by human and
hard to be spoofed. But they rely on host integrity, their approach
require client side installation and key-distribution.
Yee, etal [21] proposed a anti-phishing solution which the user
even no need to remember site password and password will only
be entered by Passpet browser plugin after domain verification, and
the password is hashed and customized for each domain. However,
it has a limitation that the auto-fill-in password is based on domain
which risks suffer from pharming attack for non-SSL site.
Sakikar, etal [22] presented a CAPTCHA solution which embed
public key information inside CAPTCHA that client side can ver-
ify the public key as well as the destination server. However, if
user is such unconscious, force validation is needed, their design
requires client side installation. As their CAPTCHA challenges are
customized for each user in database and create a specific image list
pair for each client, it also further induce database storage issue for
growing number of customers, as well as client image list revoke or
recovery issues after attack.
Szydlowski, etal [11] proposed a Secure Web Input Application
utilizing the idea of CAPTCHA for user input confidentiality and
integrity against local malicious code. Their Input Application is
used for transaction account confirmation, which is still suffer from
human assisted attack.
As hardware based solutions can always forcing validation, it is
not comparable to visual solution.
VI. C ONCLUSION
In this work, we reviewed current Man-In-The-Middle(MITM)
attacks which threatening online banking security, and how existing
defense fail to protect our customer that even the hardware security
token still risks suffer from RT-MITM attack.
We introduced the use of CAPTCHA idea and its related applica-
tion in online banking. Then we analysis on BEA’s CIS system, and
proposed our CIS bypassing attack. We point out that CAPTCHA
Input System implementation should be carefully designed.
We proposed Control-Relaying(CR)-MITM attack, a remote attack
as powerful as local trojan, which is possible to defeat CAPTCHA
phishing protection in the future.
In summary, our work demonstrated the limitation of CAPTCHA
as well as visual security in securing online banking.
As attack will never fall behind, the CAPTCHA idea for security
is still worth to be developed. Our next work[19] is to design an
Extended CAPTCHA Input System to depress phishing by utilizing
the properties of CAPTCHA combining the time restriction of One-
Time-Password.
R EMARK : Our original work and figures can be founded in project
homepage[19].
R EFERENCES
[1] Bank of East Asia, “Case Study Cyberbanking by Bank of East Asia,”
in Combating Phishing Attack - Challenges of phishing attack to banks.
HKCERT: Combating Phishing Attacks Seminar, Dec 2004.
[2] R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” in
CHI ’06: Proceedings of the SIGCHI conference on Human Factors in
computing systems. New York, NY, USA: ACM, 2006, pp. 581–590.
[3] T. Register, “Hsbc forgets to renew its digital certificate,” Mar 2008.
[4] HSBC, “Security device,” in HSBC Personal Financial Services.
HSBC.com, HSBC home&Away Privilege Programme, 2005.
[5] Federal Financial Institutions Examination Council, “FFIEC Releases
Guidance on Authentication in Internet Banking Environment,” in
FFIEC Press Release. The Federal Financial Institutions Examination
Council, Oct 2005.
[6] B. Schneier, “Two-factor authentication: too little, too late,” Commun.
ACM, vol. 48, no. 4, p. 136, 2005.
[7] Bank of America, “Bank of america announces industry-leading secu-
rity feature for its 13.2 million online banking customers to help prevent
fraud and identity theft,” May 2005.
[8] M. J. Christopher Soghoian, “A deceit-augmented mitm against bank
of america’s sitekey service,” Oct 2007.
[9] R. Dhamija and J. D. Tygar, “Phish and hips: Human interactive proofs
to detect phishing attacks,” in In Human Interactive Proofs: Second
International Workshop (HIP 2005, 2005, pp. 127–141.
[10] L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, “Captcha: Using
hard ai problems for security,” in EUROCRYPT, 2003, pp. 294–311.
[11] M. Szydlowski, C. Kruegel, and E. Kirda, “Secure input for web
applications,” in ACSAC, 2007, pp. 375–384.
[12] W. Diffie and M. Hellman, “New directions in cryptography,” Informa-
tion Theory, IEEE Transactions on, vol. 22, no. 6, pp. 644–654, Nov
1976.
[13] W. Diffie, P. C. V. Oorschot, and M. J. Wiener, “Authentication and
authenticated key exchanges,” Des. Codes Cryptography, vol. 2, no. 2,
pp. 107–125, 1992.
[14] M. Jakobsson and S. Myers, “Delayed password disclosure,” in DIM
’07: Proceedings of the 2007 ACM workshop on Digital identity
management. New York, NY, USA: ACM, 2007, pp. 17–26.
[15] C.-M. Leung, “Security analysis of banking Login System -
Scenario of Bank of East Asia - Cyberbanking Logon,” CM
Leung research webpage, Nov. 2008. [Online]. Available: http:
//sites.google.com/site/lcmkov/
[16] OWASP, “Webscarab project,” Open Web Application Security
Project website, last visited at 18/12/2008. [Online]. Available: http:
//www.owasp.org/index.php/Category:OWASP WebScarab Project
[17] At&t Lab, Cambridge, “Vncviewer for java,” AT&T Laboratories
Cambridge, 1999. [Online]. Available: http://www.hep.phy.cam.ac.uk/
vnc docs/javavncviewer.html
[18] M. FUCCI, “Flashlight-vnc open source vnc viewer / player written in
flash,” Marco Fucci - FlashLight-VNC, June 2008. [Online]. Available:
http://www.wizhelp.com/flashlight-vnc/index.html
[19] C.-M. Leung, “Depress phishing by CAPTCHA with OTP,” in
ICASID’09: IEEE International Conference on Anti-counterfeiting,
Security, and Identification in Communication. IEEE, Aug. 2009.
[Online]. Available: http://sites.google.com/site/lcmkov/
[20] Yahoo!Inc., “What is a sign-in seal,” in Yahoo Security Center. Ya-
hoo.com, Yahoo Security Center, Aug 2006.
[21] K.-P. Yee and K. Sitaker, “Passpet: convenient password management
and phishing protection,” in SOUPS ’06: Proceedings of the second
symposium on Usable privacy and security. New York, NY, USA:
ACM, 2006, pp. 32–43.
[22] S. Saklikar and S. Saha, “Public key-embedded graphic captchas,”
Consumer Communications and Networking Conference, 2008. CCNC
2008. 5th IEEE, pp. 262–266, 10-12 Jan. 2008.