scispace - formally typeset
Search or ask a question
Author

Ahmad Salah El Ahmad

Bio: Ahmad Salah El Ahmad is an academic researcher from Newcastle University. The author has contributed to research in topics: CAPTCHA & Security engineering. The author has an hindex of 5, co-authored 6 publications receiving 801 citations.

Papers
More filters
Proceedings ArticleDOI
27 Oct 2008
TL;DR: It is shown that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks, including the schemes designed and deployed by Microsoft, Yahoo and Google.
Abstract: CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks.In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation-resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average ~80 ms for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks.

407 citations

Proceedings ArticleDOI
23 Jul 2008
TL;DR: Usability issues that should be considered and addressed in the design of CAPTCHAs are discussed, and a simple but novel framework for examining CAPTCHA usability is proposed.
Abstract: CAPTCHA is now almost a standard security technology, and has found widespread application in commercial websites. Usability and robustness are two fundamental issues with CAPTCHA, and they often interconnect with each other. This paper discusses usability issues that should be considered and addressed in the design of CAPTCHAs. Some of these issues are intuitive, but some others have subtle implications for robustness (or security). A simple but novel framework for examining CAPTCHA usability is also proposed.

319 citations

Proceedings ArticleDOI
13 Apr 2010
TL;DR: This paper shows that this new CAPTCHA scheme deployed until very recently by Megaupload can be segmented using a simple but new automated attack with a success rate of 78%.
Abstract: CAPTCHA is a standard security technology that presents tests to tell computers and humans apart. In this paper, we examine the security of a new CAPTCHA that was deployed until very recently by Megaupload, a leading online storage and delivery website. The security of this scheme relies on a novel segmentation resistance mechanism. However, we show that this CAPTCHA can be segmented using a simple but new automated attack with a success rate of 78%. It takes about 120 ms on average to segment each challenge on a standard desktop computer.

72 citations

Journal ArticleDOI
TL;DR: Captchas are a standard defense on commercial websites against undesirable or malicious Internet bot programs, but widely deployed schemes can be broken with simple but novel attacks.
Abstract: Captchas are a standard defense on commercial websites against undesirable or malicious Internet bot programs, but widely deployed schemes can be broken with simple but novel attacks. Applying security engineering expertise to the design of Captchas can significantly improve their robustness.

33 citations

01 Jan 2010
TL;DR: It is shown that the use of colours in the design of CAPTCHA, a standard security technology that has found widespread applications in commercial websites, can have critical implications on both security and usability.
Abstract: The use of colour in user interfaces is extensive. It is typically a usability issue, and has rarely caused any security concerns. In this ar ticle, we show that the use of colours in the design of CAPTCHA, a standard security technology that has found widespread applications in commercial websites, can have inter esting but critical implications on both security and usability.

5 citations


Cited by
More filters
Proceedings ArticleDOI
27 Oct 2008
TL;DR: It is shown that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks, including the schemes designed and deployed by Microsoft, Yahoo and Google.
Abstract: CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks.In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation-resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average ~80 ms for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks.

407 citations

Proceedings ArticleDOI
23 Jul 2008
TL;DR: Usability issues that should be considered and addressed in the design of CAPTCHAs are discussed, and a simple but novel framework for examining CAPTCHA usability is proposed.
Abstract: CAPTCHA is now almost a standard security technology, and has found widespread application in commercial websites. Usability and robustness are two fundamental issues with CAPTCHA, and they often interconnect with each other. This paper discusses usability issues that should be considered and addressed in the design of CAPTCHAs. Some of these issues are intuitive, but some others have subtle implications for robustness (or security). A simple but novel framework for examining CAPTCHA usability is also proposed.

319 citations

Proceedings ArticleDOI
17 Oct 2011
TL;DR: It is found that 13 current visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques from popular web sites are vulnerable to automated attacks.
Abstract: We carry out a systematic study of existing visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques. Applying a systematic evaluation methodology to 15 current CAPTCHA schemes from popular web sites, we find that 13 are vulnerable to automated attacks. Based on this evaluation, we identify a series of recommendations for CAPTCHA designers and attackers, and possible future directions for producing more reliable human/computer distinguishers.

312 citations

Proceedings ArticleDOI
16 May 2010
TL;DR: In this paper, a large scale evaluation of captchas from the human perspective is presented, with the goal of assessing how much friction CAPTCHAs present to the average user.
Abstract: Captchas are designed to be easy for humans but hard for machines. However, most recent research has focused only on making them hard for machines. In this paper, we present what is to the best of our knowledge the first large scale evaluation of captchas from the human perspective, with the goal of assessing how much friction captchas present to the average user. For the purpose of this study we have asked workers from Amazon’s Mechanical Turk and an underground captchabreaking service to solve more than 318 000 captchas issued from the 21 most popular captcha schemes (13 images schemes and 8 audio scheme). Analysis of the resulting data reveals that captchas are often difficult for humans, with audio captchas being particularly problematic. We also find some demographic trends indicating, for example, that non-native speakers of English are slower in general and less accurate on English-centric captcha schemes. Evidence from a week’s worth of eBay captchas (14,000,000 samples) suggests that the solving accuracies found in our study are close to real-world values, and that improving audio captchas should become a priority, as nearly 1% of all captchas are delivered as audio rather than images. Finally our study also reveals that it is more effective for an attacker to use Mechanical Turk to solve captchas than an underground service.

226 citations

30 Apr 2010
TL;DR: Evidence from a week’s worth of eBay captchas suggests that the solving accuracies found in the study are close to real-world values, and that improving audioCaptchas should become a priority, as nearly 1% of all captchAs are delivered as audio rather than images.

224 citations