Abstract
CaptchaStar is a new type of Captcha, proposed in 2016, based on shape recovery. This paper shows that the security of this Captcha is not as good as intended. More precisely, we present and implement an efficient attack on CaptchaStar with a success rate of 96%. The impact of this attack is also investigated in other scenarios as noise addition, and it continues to be very efficient. This paper is a revised version of the paper entitled How to break CaptchaStar, presented at the conference ICISSP 2018 [29].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Captcha will be now written in lower-case for a better readability of the paper.
References
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47(2), 57–60 (2004)
von Ahn, L., Dabbish, L.: Labeling images with a computer game. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 319–326 (2004)
von Ahn, L., Dabbish, L.: Designing games with a purpose. Commun. ACM 51(8), 58–67 (2008)
von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: human-based character recognition via web security measures. Science 321, 1465–1468 (2008)
Algwil, A., Ciresan, D., Liu, B.B., Yan, J.: A security analysis of automated Chinese turing tests. In: Annual Conference on Computer Security Applications (ACSAC), pp. 520–532 (2016)
Baird, H.S., Coates, A.L., Fateman, R.J.: PessimalPrint: a reverse turing test. Int. J. Doc. Anal. Recognit. 5(2–3), 158–163 (2003)
Bursztein, E., Aigrain, J., Moscicki, A., Mitchell, J.C.: The end is nigh: generic solving of text-based CAPTCHAs. In: USENIX Workshop on Offensive Technologies (WOOT) (2014)
Bursztein, E., Beauxis, R., Paskov, H.S., Perito, D., Fabry, C., Mitchell, J.C.: The failure of noise-based non-continuous audio CAPTCHAs. In: IEEE Symposium on Security and Privacy (S&P), pp. 19–31 (2011)
Bursztein, E., Bethard, S.: DeCAPTCHA: breaking 75% of ebay audio CAPTCHAs. In: USENIX Coference on Offensive Technologies (2009)
Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Symposium on Security and Privacy (S&P), pp. 399–413 (2010)
Bursztein, E., Martin, M., Mitchell, J.: Text-based CAPTCHA strengths and weaknesses. In: ACM Conference on Computer and Communications Security (CCS), pp. 125–138 (2011)
Bursztein, E., Moscicki, A., Fabry, C., Bethard, S., Mitchell, J.C., Jurafsky, D.: Easy does it: more usable CAPTCHAs. In: Conference on Human Factors in Computing Systems (CHI), pp. 2637–2646 (2014)
Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Building segmentation based human-friendly human interaction proofs (HIPs). In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 1–26. Springer, Heidelberg (2005). https://doi.org/10.1007/11427896_1
Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Designing human friendly human interaction proofs. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 711–720 (2005)
Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (HIPs). In: Neural Information Processing Systems (NIPS), pp. 265–272 (2004)
Chew, M., Tygar, J.D.: Image recognition CAPTCHAs. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 268–279. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8_23
Conti, M., Guarisco, C., Spolaor, R.: CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 611–628. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_33
Conti, M., Guarisco, C., Spolaor, R.: CAPTCHaStar demo (2016). http://captchastar.math.unipd.it/demo.php
Cui, J.S., Mei, J.T., Zhang, W.Z., Wang, X., Zhang, D.: A CAPTCHA implementation based on moving objects recognition problem. In: IEEE International Conference on E-Business and E-Government (ICEE), pp. 1277–1280 (2010)
Datta, R., Li, J., Wang, J.Z.: Imagination: a robust image-based CAPTCHA generation system. In: ACM International Conference on Multimedia, pp. 331–334 (2005)
Elson, J., Douceur, J.R., Howell, J., Saul, J.: Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In: ACM Conference on Computer and Communications Security (CCS), pp. 366–374 (2007)
Fidas, C., Voyiatzis, A., Avouris, N.: On the necessity of user-friendly CAPTCHA. In: SIGCHI Conference on Human Factors in Computing Systems (CHI), pp. 2623–2626 (2011)
Gao, H., Wang, W., Qi, J., Wang, X., Liu, X., Yan, J.: The robustness of hollow CAPTCHAs. In: ACM Conference on Computer and Communications Security (CCS), pp. 1075–1086 (2013)
Gao, H., et al.: A simple generic attack on text CAPTCHAs. In: Network and Distributed System Security Symposium (NDSS) (2016)
Golle, P.: Machine learning attacks against the asirra CAPTCHA. In: ACM Conference on Computer and Communications Security (CCS), pp. 535–542 (2008)
Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., Shet, V.D.: Multi-digit number recognition from street view imagery using deep convolutional neural networks. coRR abs/1312.6082 (2013)
Gossweiler, R., Kamvar, M., Baluja, S.: What’s up CAPTCHA? A CAPTCHA based on image orientation. In: 18th International Conference on World Wide Web (WWW), pp. 841–850 (2008)
Gougeon, T., Lacharme, P.: How to break CAPTCHaStar. In: 4th International Conference on Information Systems Security and Privacy (ICISSP), pp. 41–51 (2018)
Hernández-Castro, C.J., R-Moreno, M.D., Barrero, D.F., Gibson, S.: Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis. Comput. Secur. 70, 744–756 (2017)
Hernández-Castro, C.J., Ribagorda, A.: Pitfalls in CAPTCHA design and implementation: the math CAPTCHA, a case study. Comput. Secur. 29, 141–157 (2010)
Hindle, A., Godfreya, M.W., Holt, R.C.: Reverse engineering CAPTCHAs (2008)
Kim, J., Kim, S., Yang, J., Ryu, J., Wohn, K.: FaceCAPTCHA: a CAPTCHA that identifies the gender of face images unrecognized by existing gender classifiers. Multimed. Tools Appl. 72(2), 1215–1237 (2014)
Kim, J., Chung, W., Cho, H.: A new image-based CAPTCHA using the orientation of the polygonally cropped sub-images. Vis. Comput. 26, 1135–1143 (2010)
Kluever, K.A., Zanibbi, R.: Balancing usability and security in a video CAPTCHA. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2009)
Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game CAPTCHA usability and detection of streaming-based farming. In: Workshop NDSS on Usable Security (USEC) (2014)
Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 195–206 (2014)
Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: Conference on Computer Vision and Pattern Recognition (CVPR), pp. 133–144 (2003)
Motoyama, M., Levchenko, K., Kanich, C., McCoy, D., Voelker, G.M., Savage, S.: Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In: USENIX Security Symposium, vol. 10, pp. 435–462 (2010)
Naor, M.: Verification of a human in the loop or identification via the turing test (1996)
Nejati, H., Cheung, N.M., Sosa, R., Koh, D.C.I.: DeepCAPTCHA: an image CAPTCHA based on depth perception. In: ACM Multimedia Systems Conference (MMSys), pp. 81–90 (2014)
Nguyen, V.D., Chow, Y.W., Susilo, W.: On the security of text-based 3D CAPTCHAs. Comput. Secur. 45, 84–99 (2014)
Osadchy, M., Hernandez-Castro, J., Gibson, S., Dunkelman, O., Perez-Cabo, D.: No bot expects the deepCAPTCHA! Introducing immutable adversarial examples with applications to CAPTCHA. iACR Cryptology ePrint Archive (2016)
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: ACM Computer and Security Conference (CCS), pp. 161–170 (2002)
Rui, Y., Liu, Z.: Artifacial: automated reverse turing test using facial features. Multimed. Syst. 9(6), 493–502 (2004)
Shirali-Shahreza, S., Shirali-Shahreza, M.: CAPTCHA for children. In: IEEE International Conference on System of Systems Engineering (SoSE), pp. 1–6 (2008)
Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)
Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 388–403 (2016)
Tam, J., Simsa, J., Hyde, S., von Ahn, L.: Breaking audio CAPTCHAs. In: Advances in Neural Information Processing Systems (NIPS), pp. 1625–1632 (2008)
Thomas, K., McCoy, D., Grier, C., Kolcz, A., Paxson, V.: Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse. In: USENIX Security Symposium. pp. 195–210 (2013)
Truong, H.D., Turner, C.F., Zou, C.C.: iCAPTCHA: the next generation of CAPTCHA designed to defend against 3rd party human attacks. In: IEEE International Conference on Communications (ICC), pp. 1–6 (2011)
Turing, A.M.: Computing machinery and intelligence. Mind 59(236), 433–460 (1950)
Wilkins, J.: Strong CAPTCHA guidelines. Technical Report (v1.2) (2009)
Xu, Y., Reynaga, G., Chiasson, S., Frahm, J.M., Monrose, F., van Oorschot, P.C.: Security and usability challenges of moving-object CAPTCHAs: decoding codewords in motion. In: USENIX Security Symposium, pp. 49–64 (2012)
Yan, J., Ahmad, A.S.E.: Breaking visual CAPTCHAs with naive pattern recognition algorithms. In: Annual Computer Security Applications Conference (ACSAC), pp. 279–291 (2007)
Yan, J., Ahmad, A.S.E.: A low-cost attack on a Microsoft CAPTCHA. In: ACM Conference on Computer and communications security (CCS), pp. 543–554 (2007)
Yan, J., Ahmad, A.S.E.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: 4th Symposium on Usable Privacy and Security (SOUPS), pp. 44–52 (2008)
Yan, J., Ahmad, A.S.E.: CAPTCHA security: a case study. IEEE Secur. Priv. 7(4), 22–28 (2009)
Zhu, B.B., et al.: Attacks and design of image recognition CAPTCHAs. In: ACM Conference on Computer and Communications Security (CCS), pp. 187–200 (2010)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Appendix
A Appendix
Figure 5 describes the first part of the attack on a toy example with \(n_{max} = 2\), \(\ell = 4\), \(n_s = 4\). First, the grid is split in 4 tiles. Each tile center represents the coordinates \(c_k\), generating a state \(S^k\). Then, a score is computed with the maxConcentation heuristic. It splits the grid in 9 tiles of \(4 \times 4\) pixels. To compute the score, the number of pixels of the two tiles containing the largest numbers of pixels are added. For the state \(S^3\), the tiles containing the largest number of pixels are the center tile, and the one at the top center. They both contain 2 stars, and each star contains 4 pixels, therefore the obtained score for \(S^3\) is 16. This is the maximum score among the generated states, therefore \(c_3\) represents the coordinates of the approximate solution.
Figure 6 describes the second part of the attack with \(\ell _2 =2\). A tile of size \(2 \times 2\) pixels is drawn using \(c_3\) as its center. A state is generated for each point of the tile and a score is computed using the maxConcentration heuristic. The points are represented by the coordinates \(\left\{ c_3, c_5, c_6, \dots , c_{12} \right\} \). \(S^8\) is the state leading to the largest score, and it is the solution of the challenge.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Gougeon, T., Lacharme, P. (2019). A Simple Attack on CaptchaStar. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2018. Communications in Computer and Information Science, vol 977. Springer, Cham. https://doi.org/10.1007/978-3-030-25109-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-25109-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25108-6
Online ISBN: 978-3-030-25109-3
eBook Packages: Computer ScienceComputer Science (R0)