Riddle me this! Context Sensitive CAPTCHAs - Prof. Dr. Norbert Pohlmann

T. Urban, R. Riedel, N. Pohlmann:,
„Riddle me this! Context Sensitive CAPTCHAs”,
In Proceedings of the EuroUSEC 2017 – European Workshop on Usable Security,
2017

In modern information society online transactions are animportant part of our daily lives. In this work we proposea protocol that users to perform secure online transaction even if the used system is not trustworthy or infected withmal-ware. We developed auser-centeredprotocol that uses a CAPTCHA like approach to prevent attackers from manipulating a transaction without the user or the corresponding server noticing. Therefore, we add context sensitive information about the transaction to a task that is setto the user. This task is designed to be hard to solve for computer programs but easy for humans. To evaluate our approach we conducted a user study and computed the probability by which an attacker can successfully attack the system. We show that a vast majority (>94%) of all transaction can be secured while the system itself remains useable.

Online banking and online transactions are a huge part of the modern information society and will even grow in importance. Let alone between 2007 and 2015 the usage of online banking grew from 25% to 46% in Europe. Due to the rapid growth ofapplications that include micro transactions and the general digitalization of our society the amount of executed online transaction will rise further in the future. Fraudsters already compromised this sector in various ways. An official report published in 2014 by theGerman Federal Criminal Police Offices hows that the damage done by fraudsters in the online banking business rounds up toalmost 30 million Euro (in Germany). The actual damage is expected to be way higherdue to the large number of unknown cases which haven’t been reported by the finical institutions. Most financial institutions simply refund their customers without publishing the occurrence of a fraud. This is presumably done because the financial institutions want to avoid the bad publicity that comes along with this kind of press releases.