Security Analysis of CAPTCHA
11 Oct 2012-pp 97-109
TL;DR: The pre-processing attack on targeted CAPTcha is demonstrated having success rate of approximately 97% which in turn helps to build more robust and human friendly CAPTCHA.
Abstract: CAPTCHA stands for Completely Automated Public Turing test to distinguish Computers and Humans apart CAPTCHA is a program which can generate and grade the tests that it itself cannot pass The security aspect of CAPTCHA should be such that none of the computer program should be able to pass the tests generated by it even if the knowledge of the exact working of the CAPTCHA is known The effectiveness of CAPTCHA of a given strength is determined by how frequently the guesses of CAPTCHA can be tested by an attacker This paper proposes a simple and uniform framework for the assessment of security and usability of CAPTCHA that arbitrary compositions of security measures can provide” In this sentence instead of ”a simple and uniform framework”, use ”parameters” This paper proposes parameters for the assessment of security and usability of CAPTCHA that arbitrary compositions of security measures can provideThe pre-processing attack on targeted CAPTCHA is demonstrated having success rate of approximately 97% which in turn helps to build more robust and human friendly CAPTCHA The universal structure for segmentation attack is framed to analyze security of CAPTCHA
Citations
More filters
04 Jun 2016
TL;DR: This research has found vulnerabilities in Text based CAPTCHAs, a novel mechanism, i.e. the recognition based segmentation is applied to crop such connected characters, a sliding window based neural network classifier is used to recognize and segment the connected characters.
Abstract: Text based CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is the most widely used mechanism adopted by numerous popular web sites in order to differentiate between machines and humans, however due to extensive research carried out by computer vision researchers, it is now a days vulnerable against automated attacks. Segmentation is the most difficult task in automatic recognition of CAPTCHAs, therefore contemporary Text based CAPTCHAs try to combine the characters together in order to make them as segmentation resistant against these attacks as possible. In this research, we have found vulnerabilities in such CAPTCHAs, a novel mechanism, i.e. the recognition based segmentation is applied to crop such connected characters, a sliding window based neural network classifier is used to recognize and segment the connected characters. Experimental results have proved 95.5% recognition success rate and 58.25% segmentation success rate on our dataset of tmall CAPTCHAs, this algorithm is further tested on two other datasets of slightly different implementations and promising results were achieved.
11 citations
01 Dec 2016
TL;DR: The results proved that the Necklace CAPTCHA is an effective anti-bot mechanism from the usability and security perspectives, such that it achieved efficiency rate about 93%, solving time around 24 seconds, and low probability value of guessing attack success rate about 1.35% in average.
Abstract: Protecting Online Social Networks (OSNs) against the new generation of the automated software tools (i.e. Social Bots) is an increasingly important lack from the security and privacy perspectives. Social bots is automated software scripts, which able to carry out dangerous activities in OSNs, such as auto-sharing and posting, auto-sending friend requests, auto-harvesting private information,etc. Indeed, These malicious activities harm the users' reputation and privacy as well as they challenge the Social Network Provider (SNP) as a security issue. In this paper, we introduce a novel anti-bot mechanism called Necklace CAPTCHA for securing Online Social Networks against the smart generation of social bots. The Necklace CAPTCHA is an Image-based CAPTCHA which depends on the Necklace Graph approach to generate its tests. Our results proved that the Necklace CAPTCHA is an effective anti-bot mechanism from the usability and security perspectives, such that it achieved efficiency rate about 93%, solving time around 24 seconds, and low probability value of guessing attack success rate about 1.35% in average. Compared with other CAPTCHAs, the Necklace CAPTCHA is a strong competitive approach regarding the usability and security metrics.
5 citations
01 Dec 2015
TL;DR: A systematic approach to measure the qualitative strength of the Text based CAPTCHA depending on type of TBC, Length of T BC, Character recognition rate and its response time is proposed.
Abstract: There is a substantial emphasis on security design of Text based CAPTCHA by way of providing the security at pre-processing layer, segmentation layer and character recognition layer. The strength to protect the system from security threats defines the robustness of any given system and which in turn depends on number of attempts the malicious program, which does not have direct access, will need to defend it. This paper proposes a systematic approach to measure the qualitative strength of the Text based CAPTCHA depending on type of TBC, Length of TBC, Character recognition rate and its response time. Applying our systematic approach to different CAPTCHA providers and users, we found that approximately 80% CAPTCHAs are weak and susceptible to our attacks. Along with the attacks leading to weakness of text based CAPTCHA, we have provided the distinguishing features of different CAPTCHA Segmenter which play an important role in defending anti-segmentation techniques.
4 citations
01 Feb 2021
TL;DR: In this article, 20 unique Devanagari CAPTCHAs are tested from de-noising and segmentation (character segmentation) point of view. All the 20 designs are successfully denoised and segmented. A high success rate of segmentation is achieved that ranges from 88.14 to 98.06%.
Abstract: CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is one of the easiest ways to achieve human authentication on the web sites. Text-based CAPTCHAs are the most popular type of CAPTCHA used on the web sites. Most of the text-based CAPTCHAs are successfully recognized. Devanagari CAPTCHAs are also existing but not used on the web sites. In India, mostly web sites are also displaying the information in native languages so that native citizens can use these public web sites. These web sites may use native language CAPTCHA like Devanagari CAPTCHA. The security of Devanagari CAPTCHA is never tested till date. In this paper, 20 unique Devanagari CAPTCHAs are tested from de-noising and segmentation (character segmentation) point of view. All the 20 designs are successfully de-noised and segmented. A high success rate of segmentation is achieved that ranges from 88.14 to 98.06%. The paper proposes benchmarks for developing a secure text CAPTCHA.
References
More filters
04 May 2003
TL;DR: This work introduces captcha, an automated test that humans can pass, but current computer programs can't pass; any program that has high success over a captcha can be used to solve an unsolved Artificial Intelligence (AI) problem; and provides several novel constructions of captchas, which imply a win-win situation.
Abstract: We introduce captcha, an automated test that humans can pass, but current computer programs can't pass: any program that has high success over a captcha can be used to solve an unsolved Artificial Intelligence (AI) problem. We provide several novel constructions of captchas. Since captchas have many applications in practical security, our approach introduces a new class of hard problems that can be exploited for security purposes. Much like research in cryptography has had a positive impact on algorithms for factoring and discrete log, we hope that the use of hard AI problems for security purposes allows us to advance the field of Artificial Intelligence. We introduce two families of AI problems that can be used to construct captchas and we show that solutions to such problems can be used for steganographic communication. captchas based on these AI problem families, then, imply a win-win situation: either the problems remain unsolved and there is a way to differentiate humans from computers, or the problems are solved and there is a way to communicate covertly on some channels.
1,525 citations
TL;DR: In this paper, lazy cryptographers do AI and show how lazy they can be, and how they do it well, and why they do so poorly, and they are lazy.
Abstract: How lazy cryptographers do AI.
890 citations
18 Jun 2003
TL;DR: Efficient methods based on shape context matching are developed that can identify the word in an EZ-Gimpy image with a success rate of 92%, and the requisite 3 words in a Gimpy image 33% of the time.
Abstract: In this paper we explore object recognition in clutter. We test our object recognition techniques on Gimpy and EZ-Gimpy, examples of visual CAPTCHAs. A CAPTCHA ("Completely Automated Public Turing test to Tell Computers and Humans Apart") is a program that can generate and grade tests that most humans can pass, yet current computer programs can't pass. EZ-Gimpy, currently used by Yahoo, and Gimpy are CAPTCHAs based on word recognition in the presence of clutter. These CAPTCHAs provide excellent test sets since the clutter they contain is adversarial; it is designed to confuse computer programs. We have developed efficient methods based on shape context matching that can identify the word in an EZ-Gimpy image with a success rate of 92%, and the requisite 3 words in a Gimpy image 33% of the time. The problem of identifying words in such severe clutter provides valuable insight into the more general problem of object recognition in scenes. The methods that we present are instances of a framework designed to tackle this general problem.
681 citations
27 Oct 2008
TL;DR: It is shown that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks, including the schemes designed and deployed by Microsoft, Yahoo and Google.
Abstract: CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks.In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation-resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average ~80 ms for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks.
407 citations
TL;DR: A precise system for handwritten Chinese and Japanese character recognition using transformation based on partial inclination detection (TPID) and city block distance with deviation and asymmetric Mahalanobis distance (AMD) are presented.
Abstract: This paper presents a precise system for handwritten Chinese and Japanese character recognition. Before extracting directional element feature (DEF) from each character image, transformation based on partial inclination detection (TPID) is used to reduce undesired effects of degraded images. In the recognition process, city block distance with deviation (CBDD) and asymmetric Mahalanobis distance (AMD) are proposed for rough classification and fine classification. With this recognition system, the experimental result of the database ETL9B reaches to 99.42%.
216 citations