Advertisement

Remotely Telling Humans and Computers Apart: An Unsolved Problem

  • Carlos Javier Hernandez-Castro
  • Arturo Ribagorda
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 309)

Abstract

The ability to tell humans and computers apart is imperative to protect many services from misuse and abuse. For this purpose, tests called CAPTCHAs or HIPs have been designed and put into production. Recent history shows that most (if not all) can be broken given enough time and commercial interest: CAPTCHA design seems to be a much more difficult problem than previously thought. The assumption that difficult-AI problems can be easily converted into valid CAPTCHAs is misleading. There are also some extrinsic problems that do not help, especially the big number of in-house designs that are put into production without any prior public critique. In this paper we present a state-of-the-art survey of current HIPs, including proposals that are now into production. We classify them regarding their basic design ideas. We discuss current attacks as well as future attack paths, and we also present common errors in design, and how many implementation flaws can transform a not necessarily bad idea into a weak CAPTCHA. We present examples of these flaws, using specific well-known CAPTCHAs. In a more theoretical way, we discuss the threat model: confronted risks and countermeasures. Finally, we introduce and discuss some desirable properties that new HIPs should have, concluding with some proposals for future work, including methodologies for design, implementation and security assessment.

Keywords

HIP CAPTCHA design implementation flaw methodologies security assessment 

References

  1. 1.
    Chow, R., Golle, P., Jakobsson, M., Wang, L., Wang, X.: Making CAPTCHAs Clickable. In: Proc. of HotMobile 2008 (2008)Google Scholar
  2. 2.
    Hernandez-Castro, C.J., Ribagorda, A.: VideoCAPTCHAs. In: Proceedings of the 5th International Conference on Security and Protection of Information, Brno (to be puslished, 2009)Google Scholar
  3. 3.
    Athanasopoulos, E., Antonatos, S.: Enhanced CAPTCHAs: Using Animation to Tell Humans and Computers Apart. In: IFIP International Federation for Information Processing (2006)Google Scholar
  4. 4.
    Bigham, J.P., Cavender, A.C.: Evaluating Existing Audio CAPTCHAs and an Interface Optimized for Non-Visual Use. In: CHI 2009 (2009)Google Scholar
  5. 5.
    Hernandez-Castro, C.J., Ribagorda, A., Saez, Y.: Side-channel attack on labeling CAPTCHAs (2009), http://arxiv.org/abs/0908.1185
  6. 6.
    Holmes, G., Donkin, A., Witten, I.H.: Weka: A machine learning workbench. In: Proceedings of the Second Australia and New Zealand Conference on Intelligent Information Systems, Brisbane, Australia (1994)Google Scholar
  7. 7.
    Quinlan, R.: Machine Learning. Morgan Kaufmann Pub., CAGoogle Scholar
  8. 8.
    Golle, P.: Machine Learning Attacks Against the Asirra CAPTCHA. In: ACM CCS 2008 (2008)Google Scholar
  9. 9.
    Hernandez-Castro, C.J., Ribagorda, A.: Preliminary analysis on the Megaupload CAPTCHA (Submitted for publication)Google Scholar
  10. 10.
    Achint, T., Venu, G.: Generation and Performance Evaluation of Synthetic Handwritten CAPTCHAs. In: ICFHR 2008 (2008)Google Scholar
  11. 11.
    Hernandez-Castro, C.J., Ribagorda, A.: Pitfalls in CAPTCHA design and implementation: the Math CAPTCHA, a case study (Submitted for publication)Google Scholar
  12. 12.
    Tam, J., Simsa, J., Hyde, S., Von Ahn, L.: Breaking Audio CAPTCHAs, http://www.captcha.net/Breaking_Audio_CAPTCHAs_OnlinePDF.pdf
  13. 13.
    von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: Human-Based Character Recognition via Web Security Measures. Science Magazine 321(5895), 1465–1468 (2008)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Caine, A., Hengartner, U.: The AI Hardness of CAPTCHAs does not imply Robust Network Security. In: IFIP, Trust Management, vol. 238, pp. 367–382Google Scholar
  15. 15.
    W3C Working Draft, Techniques for WCAG 2.0. G144: Ensuring Web Page contains another CAPTCHA serving same purpose using a different modalityGoogle Scholar
  16. 16.
    Elson, J., Douceur, J.R., Howell, J., Saul, J.: Asirra: A CAPTCHA that Exploits Interest-Aligned Manual Image Categorization. In: Proccedings of the 14th ACM CCS (2007)Google Scholar
  17. 17.
    von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Mori, G., Malik, J.: Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In: Proc. of CVPR 2003, pp. 134–144. IEEE, Los Alamitos (2003)Google Scholar
  19. 19.
    Naor, M.: Verification of human in the loop or Identification via Turing Test, http://www.wisdom.weizmann.ac.il/~naor/PAPERS/human.ps (retrieved January 1, 2009)
  20. 20.
    Chew, M., Tygar, J.D.: Image recognition CAPTCHAs. In: Proc. of ISC 2004, pp. 268–279 (2004); A longer version as UC Berkeley Computer Science Division technical report UCB/CSD-04-1333Google Scholar
  21. 21.
    von Ahn, L., Dabbish, L.: Labeling Images with a Computer Game. In: ACM Conference on Human Factors in Computing Systems, CHI 2004, pp. 319–326 (2004)Google Scholar
  22. 22.
    US Patent no. 6,195,698, Method for selectively restricting access to computer systems, http://www.freepatentsonline.com/6195698.html
  23. 23.
    Rusu, A., Govindaraju, V.: Handwritten CAPTCHA: using the difference in the abilities of humans and machines in reading handwritten words. In: Proceedings of the IWFHR-9, Tokyo, Japan, pp. 226–231 (2004)Google Scholar
  24. 24.
    Stevanovic, R., et al.: Quantum Random Bit Generator Service for Monte Carlo and Other Stochastic Simulations. In: Lirkov, I., Margenov, S., Waśniewski, J. (eds.) LSSC 2007. LNCS, vol. 4818, pp. 508–515. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Baird, H.S., Riopka, T.: ScatterType: a Reading CAPTCHA Resistant to Segmentation Attack. In: Proc. of the IS & T/SPIE Document Recognition & Retrieval Conference, pp. 197–207 (2005)Google Scholar
  26. 26.
    Datta, R., et al.: IMAGINATION: A Robust Image-based CAPTCHA Generation System. In: Proc. of ACM Multimedia Conf., pp. 331–334 (2005)Google Scholar
  27. 27.
    Hoque, M.E., Russomanno, D.J., Yeasin, M.: 2D Captchas from 3D Models. In: Proceedings of the IEEE SoutheastCon 2006, Memphis (April 2006)Google Scholar
  28. 28.
    Chew, M., Baird, H.S.: BaffleText: a Human Interactive Proof. In: Proceedings of the 10th SPIE/IS&T Doc. Recog. Retr. Conf, DRR 2003 (2003)Google Scholar
  29. 29.
    Baird, H.S., Bentley, J.L.: Implicit CAPTCHAs. In: Proc. SPIE/IS&T Conf. on Document Recognition and Retrieval XII (DR & R 2005), pp. 191–196 (2005)Google Scholar
  30. 30.
    Moy, G., et al.: Distortion Estimation Techniques in Solving Visual CAPTCHAs. In: Proc. of the CVPR 2004, vol. 2 (2004)Google Scholar
  31. 31.
    Yan, J., Ahmad, A.S.E.: Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms. In: Proceedings of the ACSAC 2007 (2007)Google Scholar
  32. 32.
    Chellapilla, K., Simard, P.Y.: Using Machine Learning to Break Visual HIPs. In: Proc. of the Conf. on Neural Information Processing Systems, NIPS 2004 (2004)Google Scholar
  33. 33.
    Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs). In: Procs. of CEAS (2005)Google Scholar
  34. 34.
    Hernandez-Castro, C.J., Ribagorda, A.: Analysis of the Teabag CAPTCHA version 1.2 (Submitted for publication)Google Scholar
  35. 35.
  36. 36.
  37. 37.
    TROJ_CAPTCHAR.A Trojan horse to relay CAPTCHAs at TrendMicro, http://blog.trendmicro.com/captcha-wish-your-girlfriend-was-hot-like-me/
  38. 38.
    Danchev, D.: Inside India’s CAPTCHA solving economy, http://blogs.zdnet.com/security/?p=1835
  39. 39.
    Van der Vorm, J.: Defeating audio (voice) CATPCHAs, http://vorm.net/captchas
  40. 40.
    Santamarta, R.: Breaking GMail’s audio CAPTCHA, http://blog.wintercore.com/?p=11
  41. 41.
  42. 42.
  43. 43.
    Hernandez-Castro, C.J., Ribagorda, A.: Pitfalls in CAPTCHA design and implementation: the Math CAPTCHA, a case study. Computers & Security (2009), http://dx.doi.org/10.1016/j.cose.2009.06.006
  44. 44.
    Yeen, H.: Breaking CAPTCHAs without using OCR, http://www.puremango.co.uk/2005/11/breaking_captcha_115/
  45. 45.
    W. Wieser. Captcha recognition via averaging, http://www.triplespark.net/misc/captcha/

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Carlos Javier Hernandez-Castro
    • 1
  • Arturo Ribagorda
    • 1
  1. 1.Security Group, Department of Computer ScienceCarlos III UniversityLeganes, MadridSpain

Personalised recommendations