[Project] AWS-Card-Spotter

I’ve been (very) quite recently for a number of reasons which I’ll not bore everyone with; but I have recently started to get my hands dirty in the new (to me) world of AWS. As an ex-physical datacentre hosting monkey, this takes a bit of getting used to as I’m still seeing things through the prism of physical kit. Having an actual project to work on has always been my preferred method of learning, even if the outcome may not ultimately produce anything of operational value.

To that end (and having spent too much time with QSA’s at the time of coming up with workable scenario), I took a look at how/if some of AWS features could be leveraged to identify if an uploaded image contained payment card data, which could then be used to trigger an organisation’s PCI handling processes.

Version 1 – CLI tool

I’m still a commandline junkie at heart, and still writing (very poor) Python code when the need arises, so first proof of concept was a CLI tool using AWS’ Python SDK, Boto3. For services to achieve the projects aim, Rekognition hit the top of the research pile. Amongst some fancy video analysis capabilities I need to investigate separately, AWS’ Rekognition service appeared to do exactly what was needed:

Amazon Rekognition makes it easy to add image and video analysis to your applications. You just provide an image or video to the Amazon Rekognition API, and the service can identify objects, people, text, scenes, and activities.

https://docs.aws.amazon.com/rekognition/latest/dg/what-is.html

I went into the project expecting some form of OCR to extract text from an image, then need to hunt for regexs matching 16-digit card number, sort, account, expiry etc. that may be indicative of a card. Initially reading Rekognition’s documentation, it is highly capable of exactly, competently extracting text from an analysed image.

Thankfully however, whilst reading my way through the docs and SDK, I spotted something that made my life easier; and to everyone’s benefit, avoided the need for me to fight with REGEX strings. As usual, someone (AWS in this case) had got to the problem before me in the form of the DetectLabels function call. DetectLabels, does what you might expect from the name: detects things in a given image, and labels them with what Rekognition believes the thing to be; and in this case, one of the classes of things which Rekognition can detect is (you guessed it) payment cards.

With the above in hand, my initial use-case for working with AWS produced the AWS-Card-Spotter POC:

"""Testing Rekognition's ability to identify credit cards."""
    rekog = boto3.client("rekognition", "eu-west-1")

    for image in config.images:
        response = rekog.detect_labels(
                    Image={
                        "S3Object":{
                            "Bucket": config.bucket,
                            "Name": image
                            }
                    }
        )

        for label in response['Labels']:
            if label['Name'] =="Credit Card":
                print("[%s] Credit Card Identified in %s: %i Confidence" % (config.bucket, image, int(label['Confidence'])))

It’s admittedly not much(*), provides the pipe through which to pass images to Rekognition, and displays the analysis, in the case of my test images:

  • [Your S3 Bucket Here] Credit Card Identified in Black-Credit-Card-Mockup.jpg: 86 Confidence
  • [Your S3 Bucket Here] Credit Card Identified in CreditCard.png: 91 Confidence
  • [Your S3 Bucket Here] Credit Card Identified in credit-card-perspective.jpg: 93 Confidence

(* In my defense: “not much” is precisely the power of cloud-first solutions. The ability for a novice scripter to achieve a non-trivial goal with a few lines of code, a couple of function calls and very little (no) capex is exactly why I’m currently finding this world so interesting)

Version 2 – Serverless

With the above proving my premise was workable, I next looked to turning a commandline tool on my local machine, into a consumable and automate-able, cloud native service (is that enough buzzwords for my VC elevator pitch?).

For the more experienced amongst you reading this, what came next is likely very obvious at this point:

  • Image uploaded to S3 bucket
  • Triggering a Lambda function (essentially a refactored version of CLI code above)
  • Lambda calls Rekognition
  • Results are output to an SNS Topic for consumption (in my test, an email with the results)
Designed via: cloudcraft.co

And, to my surprise as much as much as everyone else’s…… It WORKED!

Version 3 – SSsssh!

That’s a work in progress, watch this space, and you never know….. <update: now you do>


Andrew Waite

Leave a comment

Your email address will not be published. Required fields are marked *