Skip to main content
View expanded cover

International Conference on Information Security Practice and Experience

ISPEC 2019: Information Security Practice and Experience pp 172–193Cite as

CATCHA: When Cats Track Your Movements Online

  • 654 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11879)

Abstract

Any website can record its users’ mouse interactions within that site, an emerging practice used to learn about users’ regions of interests usually for personalization purposes. However, the dark side of such recording is that it is oblivious to the users as no permissions are solicited from the users prior to recording (unlike other resources like webcam or microphone). Since mouse dynamics may be correlated with users’ behavioral patterns, any website with nefarious intentions (“cat”) could thus try to surreptitiously infer such patterns, thereby compromising users’ privacy and making them prone to targeted attacks. In this paper, we show how users’ personal information, specifically their demographic characteristics, could leak in the face of such mouse movement eavesdropping. As a concrete case study along this line, we present CATCHA, a mouse analytic attack system that gleans potentially sensitive demographic attributes—age group, gender, and educational background—based on mouse interactions with a game CAPTCHA system (a simple drag-and-drop animated object game to tell humans and machines apart).

CATCHA ’s algorithmic design follows the machine learning approach that predicts unknown demographic attributes based on a total of 64 mouse dynamics features extracted from within the CAPTCHA game, capturing users’ innate cognitive abilities and behavioral patterns. Based on a comprehensive data set of mouse movements with respect to a simple game CAPTCHA collected in an online environment, we show that CATCHA can identify the users’ demographics attributes with a high probability (almost all attributes with more than 85%), significantly better than random guessing (50%) and in a very short span of interaction time (about 14 s). We also provide a thorough statistical analysis and interpretation of differentiating features across the demographics attributes that make users susceptible to the CATCHA attack. Finally, we discuss potential extensions to our attack using other user interaction paradigms (e.g., other types of CAPTCHAs or typical web browsing interactions, and under longitudinal settings), and provide potential mitigation strategies to curb the impact of mouse movement eavesdropping.

A. Neupane and K. Satvat—Work done at UAB.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-34339-2_10
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-34339-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.

References

  1. InformAction: Noscript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? (2017). https://noscript.net/. Accessed 28 Oct 2017

  2. Ahmed, A.A.E., Traore, I.: Anomaly intrusion detection based on biometrics. In: IEEE SMC Information Assurance Workshop (2005)

    Google Scholar 

  3. Ahmed, A.A.E., Traore, I.: A new biometric technology based on mouse dynamics. IEEE Trans. Dependable Secur. Comput. 4, 165–179 (2007)

    CrossRef  Google Scholar 

  4. Bergadano, F., Gunetti, D., Picardi, C.: Identity verification through dynamic keystroke analysis. Intell. Data Anal. 7, 469–496 (2003)

    CrossRef  Google Scholar 

  5. Chrome Blog: Everyone can now track down noisy tabs (2017). https://goo.gl/mojwB2. Accessed 19 May 2017

  6. Brodic, D., Petrovska, S., Jankovic, R., Amelio, A., Draganov, I.: User-centric analysis of the CAPTCHA response time: a new perspective in artificial intelligence. ERCIM News 109, 49–50 (2017)

    Google Scholar 

  7. Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Security and Privacy (S&P) (2010)

    Google Scholar 

  8. Carlson, E.L.: Phishing for elderly victims: as the elderly migrate to the internet fraudulent schemes targeting them follow. Elder LJ (2006)

    Google Scholar 

  9. Chen, M.C., Anderson, J.R., Sohn, M.H.: What can a mouse cursor tell us more?: correlation of eye/mouse movements on web browsing. In: Extended Abstracts on Human Factors in Computing Systems (2001)

    Google Scholar 

  10. Datta, A., Tschantz, M.C., Datta, A.: Automated experiments on ad privacy settings. Priv. Enhancing Technol. 2015, 92–112 (2015)

    CrossRef  Google Scholar 

  11. Dowland, P.S., Furnell, S.M.: A long-term trial of keystroke profiling using digraph, trigraph and keyword latencies. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) SEC 2004. ITIFIP, vol. 147, pp. 275–289. Springer, Boston, MA (2004). https://doi.org/10.1007/1-4020-8143-X_18

    CrossRef  Google Scholar 

  12. Eccles, L.: Money mail reveals why shops want your email address (2016). https://goo.gl/9jFtfr. Accessed 24 Sept 2018

  13. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1

    CrossRef  Google Scholar 

  14. Eckersley, P.: Panopticlick (2010). https://panopticlick.eff.org. Accessed 28 Oct 2017

  15. Epp, C., Lippold, M., Mandryk, R.L.: Identifying emotional states using keystroke dynamics. In: SIGCHI Conference on Human Factors in Computing Systems. ACM (2011)

    Google Scholar 

  16. Fairhurst, M., Da Costa-Abreu, M.: Using keystroke dynamics for gender identification in social network environment. In: Imaging for Crime Detection and Prevention 2011 (ICDP 2011). IET (2011)

    Google Scholar 

  17. Firefox: Mute sound in Firefox tabs (2017). https://goo.gl/KeA80E. Accessed 19 May 2017

  18. FunCaptcha: reCAPTCHA: easy on humans, hard on bots (2017). https://www.funcaptcha.com/. Accessed 13 May 2017

  19. Gao, S., Mohamed, M., Saxena, N., Zhang, C.: Emerging image game CAPTCHAs for resisting automated and human-solver relay attacks. In: Annual Computer Security Applications Conference (2015)

    Google Scholar 

  20. Google Chrome: Change website permissions - google chrome (2017). https://goo.gl/OhoO5H. Accessed 19 May 2017

  21. Henry, N., Powell, A.: Embodied harms gender, shame, and technology-facilitated sexual violence. Violence Against Women 21, 758–779 (2015)

    CrossRef  Google Scholar 

  22. Hertzum, M., Hornbæk, K.: How age affects pointing with mouse and touchpad: a comparison of young, adult, and elderly users. Int. J. Hum.-Comput. Interact. 26, 703–734 (2010)

    CrossRef  Google Scholar 

  23. Hocquet, S., Ramel, J., Cardot, H.: Users authentication by a study of human computer interactions. In: Proceedings of the Eighth Annual (Doctoral) Meeting on Health, Science and Technology (2004)

    Google Scholar 

  24. Hu, J., Zeng, H.J., Li, H., Niu, C., Chen, Z.: Demographic prediction based on user’s browsing behavior. In: International Conference on World Wide Web (2007)

    Google Scholar 

  25. HuffingtonPost: ‘are you a human’ CAPTCHA game brings fun to web security (2018). https://goo.gl/aEWa4e. Accessed 27 March 2018

  26. Facebook Inc.: Data policy (2018). https://www.facebook.com/policy.php. Accessed 19 Sept 2018

  27. Google Inc.: reCAPTCHA: Easy on humans, hard on bots (2017). https://goo.gl/oL49TZ. Accessed 17 May 2017

  28. Google Inc.: Privacy policy - Google (2018). https://goo.gl/fwnohr. Accessed 19 Sept 2018

  29. James, M.S.: Why do they want my phone number? (2016). https://goo.gl/EWoyqT. Accessed 24 Sept 2018

  30. Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33, 168–176 (1990)

    CrossRef  Google Scholar 

  31. Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP) (2016)

    Google Scholar 

  32. Li, Q.: Cyberbullying in schools: a research of gender differences. Sch. Psychol. Int. 27, 157–170 (2006)

    CrossRef  Google Scholar 

  33. Maxion, R.A., Killourhy, K.S.: Keystroke biometrics with number-pad input. In: Dependable Systems and Networks (DSN) (2010)

    Google Scholar 

  34. Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game captcha usability and detection of streaming-based farming. In: Workshop on Usable Security (USEC), co-located with NDSS (2014)

    Google Scholar 

  35. Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (2014)

    Google Scholar 

  36. Mohamed, M., Saxena, N.: Gametrics: towards attack-resilient behavioral authentication with simple cognitive games. In: Annual Conference on Computer Security Applications (2016)

    Google Scholar 

  37. Monaro, M., Gamberini, L., Sartori, G.: The detection of faked identity using unexpected questions and mouse dynamics. PloS One (2017)

    Google Scholar 

  38. Mouseflow (2017). https://mouseflow.com/. Accessed 13 May 2017

  39. Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: Proceedings of W2SP (2011)

    Google Scholar 

  40. Mulazzani, M., et al.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: Web 2.0 Workshop on Security and Privacy (W2SP) (2013)

    Google Scholar 

  41. Olejnik, L., Castelluccia, C.: Of mice and men: mouse movements tracking and browser UI protections

    Google Scholar 

  42. Pentel, A.: Predicting age and gender by keystroke dynamics and mouse patterns. In: Conference on User Modeling, Adaptation and Personalization (2017)

    Google Scholar 

  43. Radinsky, K., Svore, K.M., Dumais, S., Teevan, J., Bocharov, A., Horvitz, E.: Modeling and predicting behavioral dynamics on the web (2012)

    Google Scholar 

  44. Rodden, K., Fu, X.: Exploring how mouse movements relate to eye movements on web search results pages. In: Web Information Seeking and Interaction (2007)

    Google Scholar 

  45. Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2016)

    Google Scholar 

  46. The WindowsClub: how to setup Firefox permission manager for websites (2017). https://goo.gl/PNOozZ. Accessed 19 May 2017

  47. Tor: Tor project: Torbutton (2017). https://www.torproject.org/docs/torbutton. Accessed 13 May 2017

  48. Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Symposium on Usable Privacy and Security (2012)

    Google Scholar 

  49. Walker, N., Millians, J., Worden, A.: Mouse accelerations and performance of older computer users. In: Human Factors and Ergonomics Society Annual Meeting. SAGE Publications (1996)

    Google Scholar 

  50. Wang, G., Konolige, T., Wilson, C., Wang, X., Zheng, H., Zhao, B.Y.: You are how you click: clickstream analysis for sybil detection. In: USENIX Security Symposium (2013)

    Google Scholar 

  51. Wordpress: Are you a human - the fun spam blocker (2017). https://goo.gl/pszcYQ. Accessed 13 May 2017

  52. WSJ: Facebook tests software to track your cursor on screen (2013). https://goo.gl/tM3zxu

  53. Yamauchi, T.: Mouse trajectories and state anxiety: feature selection with random forest. In: IEEE Affective Computing and Intelligent Interaction (ACII) (2013)

    Google Scholar 

  54. Yamauchi, T., Seo, J.H., Jett, N., Parks, G., Bowman, C.: Gender differences in mouse and cursor movements. Int. J. Hum.-Comput. Interact. 31, 911–921 (2015)

    CrossRef  Google Scholar 

  55. Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Conference on Computer and Communications Security (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Alabama at Birmingham, Birmingham, AL, 35294, USA

    Prakash Shrestha & Nitesh Saxena

  2. University of California, Riverside, CA, 92521, USA

    Ajaya Neupane

  3. University of Illinois at Chicago, Chicago, IL, 60607, USA

    Kiavash Satvat

Authors
  1. Prakash Shrestha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nitesh Saxena
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ajaya Neupane
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kiavash Satvat
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Prakash Shrestha .

Editor information

Editors and Affiliations

  1. Multimedia University, Malacca, Malaysia

    Swee-Huay Heng

  2. University of Malaga, Malaga, Spain

    Javier Lopez

Appendix

Appendix

Fig. 4.
figure 4

An instance of game CAPTCHA. Targets (left) are static and moving objects (right) are mobile. The task of the user is to drag-drop a subset of moving objects to their corresponding target locations.

Full size image
Table 6. Single game challenge. Performance (all presented in %) of two classification models - (a) cross-validation, and (b) train-test, corresponding to various demographic attributes when using single CAPTCHA game. The figures within the parenthesis (“Random”) in the last column show the random guessing accuracy of the classifier.
Full size table

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Shrestha, P., Saxena, N., Neupane, A., Satvat, K. (2019). CATCHA: When Cats Track Your Movements Online. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34339-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34338-5

  • Online ISBN: 978-3-030-34339-2

  • eBook Packages: Computer ScienceComputer Science (R0)