CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks.In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation-resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average ~80 ms for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks.

/pdf/a-low-cost-attack-on-a-microsoft-captcha-4386yiatdj.pdf

A low-cost attack on a Microsoft captcha

CAPTCHA is now almost a standard security technology, and has found widespread application in commercial websites. Usability and robustness are two fundamental issues with CAPTCHA, and they often interconnect with each other. This paper discusses usability issues that should be considered and addressed in the design of CAPTCHAs. Some of these issues are intuitive, but some others have subtle implications for robustness (or security). A simple but novel framework for examining CAPTCHA usability is also proposed.

/pdf/usability-of-captchas-or-usability-issues-in-captcha-design-4ivc2rbkl1.pdf

Usability of CAPTCHAs or usability issues in CAPTCHA design

We carry out a systematic study of existing visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques. Applying a systematic evaluation methodology to 15 current CAPTCHA schemes from popular web sites, we find that 13 are vulnerable to automated attacks. Based on this evaluation, we identify a series of recommendations for CAPTCHA designers and attackers, and possible future directions for producing more reliable human/computer distinguishers.

/pdf/text-based-captcha-strengths-and-weaknesses-2s0figdit8.pdf

Text-based CAPTCHA strengths and weaknesses

Captchas are designed to be easy for humans but hard for machines. However, most recent research has focused only on making them hard for machines. In this paper, we present what is to the best of our knowledge the first large scale evaluation of captchas from the human perspective, with the goal of assessing how much friction captchas present to the average user. For the purpose of this study we have asked workers from Amazon’s Mechanical Turk and an underground captchabreaking service to solve more than 318 000 captchas issued from the 21 most popular captcha schemes (13 images schemes and 8 audio scheme). Analysis of the resulting data reveals that captchas are often difficult for humans, with audio captchas being particularly problematic. We also find some demographic trends indicating, for example, that non-native speakers of English are slower in general and less accurate on English-centric captcha schemes. Evidence from a week’s worth of eBay captchas (14,000,000 samples) suggests that the solving accuracies found in our study are close to real-world values, and that improving audio captchas should become a priority, as nearly 1% of all captchas are delivered as audio rather than images. Finally our study also reveals that it is more effective for an attacker to use Mechanical Turk to solve captchas than an underground service.

/pdf/how-good-are-humans-at-solving-captchas-a-large-scale-3nhzr010dt.pdf

How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation

/pdf/how-good-are-humans-at-solving-captchas-a-large-scale-5g2o5orajk.pdf

How good are humans at solving captchas a large scale evaluation

CAPTCHA is a standard security technology that presents tests to tell computers and humans apart. In this paper, we examine the security of a new CAPTCHA that was deployed until very recently by Megaupload, a leading online storage and delivery website. The security of this scheme relies on a novel segmentation resistance mechanism. However, we show that this CAPTCHA can be segmented using a simple but new automated attack with a success rate of 78%. It takes about 120 ms on average to segment each challenge on a standard desktop computer.

The robustness of a new CAPTCHA

Captchas are a standard defense on commercial websites against undesirable or malicious Internet bot programs, but widely deployed schemes can be broken with simple but novel attacks. Applying security engineering expertise to the design of Captchas can significantly improve their robustness.

Captcha Robustness: A Security Engineering Perspective

The use of colour in user interfaces is extensive. It is typically a usability issue, and has rarely caused any security concerns. In this ar ticle, we show that the use of colours in the design of CAPTCHA, a standard security technology that has found widespread applications in commercial websites, can have inter esting but critical implications on both security and usability.

Ahmad Salah El Ahmad

Papers

A low-cost attack on a Microsoft captcha

Usability of CAPTCHAs or usability issues in CAPTCHA design

The robustness of a new CAPTCHA

Captcha Robustness: A Security Engineering Perspective

Colour, usability and security: a case study