Visual security is feeble for Anti-Phishing

Addressing recent online banking threats, the banking industry offers us several solutions for our safety online banking experience, however those solutions may not finally secure the users under the rising threats. The main challenges are how to enable safe online banking on a compromised host, and solving the general ignorance of security warning. CAPTCHA is primarily used to anti hot automated login, also, CAPTCHA base application can further provides secure PIN input against keylogger and mouse-logger for Bank's customer[1]. Assuming users are always unconscious of security warning in our model, we have designed a series of attacks and defenses under this interesting condition. In this work, we will start by formalizing a security defense utilizing CAPCTCHA, its limitations are analyzed; Then, we will attack a local bank employing CAPTCHA solution, which we show how its can be bypassed from its vulnerability in its implementation. We further introduce - Control-Relaying Man-In-The-Middle(CR-MITM) attack, a remote attack just like a Remote Terminal Service that can capture and relay user inputs without local Trojan assistant, which is possible to defeat CAPTCHA phishing protection in the future. Under our model, we conclude, visual security defense alone is feeble for anti-phishing.