The client was experiencing a wide-spread, highly publicized brute-force distributed denial of service (DDOS) attack on their account registration, which impacted their potential users from using their services to establish accounts resulting in a direct negative impact to their revenue stream.
Full Security Assessment Enables a High-Profile Online Payment Services Company to Choose Best Option

Background

A high-profile online payment services company faced registration security issues that posed hacking threats and brute-force attacks to their registration flow processes.

Challenge

The client was experiencing a wide-spread, highly publicized brute-force distributed denial of service (DDOS) attack on their account registration, which impacted their potential users from using their services to establish accounts resulting in a direct negative impact to their revenue stream.

Currently, the client was using a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) method to authenticate real users from automated computer applications (bots), but security could be breached by bots and hackers. The client wanted an investigation of the deployment possibilities of Flash-based CAPTCHA within the client’s registration flow to prevent hackers and brute-force attacks that would use up resources (free email, IM, account registrations, etc.). 

Solution

An IPI team of experts gathered the implementation requirements and considerations from the client, which included:

  •  Pre-processing: Removal of background clutter and noise
  •  Segmentation: Splitting of the image into regions which contain a single character
  •  Classification: Identifying the character in each region

Further the IPI team developed a proof of concept (POC) system that utilized the agreed upon Flash-based CAPTCHA (FLAPTCHA) objects. Additional research was performed to validate the feasibility of the each of the six alternative FLAPTCHA designs and their ability to avoid exploitation using methods beyond the four-step process currently used to crack the client’s existing CAPTCHA.

Results

IPI consultants created a Web site that provided a proof of concept for each of the six FLAPTCHA designs, complete with lists of strengths and weaknesses, in addition to providing the client with a full assessment of the technology, and a list of next steps to take, all of which helped the client choose the best one for its existing and future needs and goals. Subsequent to the POC project, IPI was reengaged outline an implementation strategy.