Depress phishing by CAPTCHA with OTP

Addressing recent online banking threats, the main challenges are to enable safe online banking on a compromised host, and solving the general ignorance of security warning. There are costly hardware solutions proposed for login authentication to transaction verification. However, we are always looking for an usable solution with higher acceptance and less effort. CAPTCHA is primarily used to anti bot automated login, also, CAPTCHA base application can further provides secure PIN input against keylogger and mouse-logger for Bank´s customer. However, assuming users are always unconscious of security warning, under this interesting condition, CAPTCHA alone is nothing to anti-phishing. But, the CAPTCHA idea is still worth to be developed. In this paper, we present the Extended CAPTCHA Input System (ECIS), which we firstly extend the CAPTCHA idea to defend Real-Time Man-In-The-Middle(RT-MITM)attack and our proposed CR-MITM attack. The trick is to employ a moving CAPTCHA for input of OneTime-Password(OTP) with time restriction, which can depress MITM auto-relaying of information as well as human assisted MITM attack. Our solution reuses the large scale shipped OTP token which can save huge amount of money instead of re-design and shipping of a new hardware solution.