Abstract
Any website can record its users’ mouse interactions within that site, an emerging practice used to learn about users’ regions of interests usually for personalization purposes. However, the dark side of such recording is that it is oblivious to the users as no permissions are solicited from the users prior to recording (unlike other resources like webcam or microphone). Since mouse dynamics may be correlated with users’ behavioral patterns, any website with nefarious intentions (“cat”) could thus try to surreptitiously infer such patterns, thereby compromising users’ privacy and making them prone to targeted attacks. In this paper, we show how users’ personal information, specifically their demographic characteristics, could leak in the face of such mouse movement eavesdropping. As a concrete case study along this line, we present CATCHA, a mouse analytic attack system that gleans potentially sensitive demographic attributes—age group, gender, and educational background—based on mouse interactions with a game CAPTCHA system (a simple drag-and-drop animated object game to tell humans and machines apart).
CATCHA ’s algorithmic design follows the machine learning approach that predicts unknown demographic attributes based on a total of 64 mouse dynamics features extracted from within the CAPTCHA game, capturing users’ innate cognitive abilities and behavioral patterns. Based on a comprehensive data set of mouse movements with respect to a simple game CAPTCHA collected in an online environment, we show that CATCHA can identify the users’ demographics attributes with a high probability (almost all attributes with more than 85%), significantly better than random guessing (50%) and in a very short span of interaction time (about 14 s). We also provide a thorough statistical analysis and interpretation of differentiating features across the demographics attributes that make users susceptible to the CATCHA attack. Finally, we discuss potential extensions to our attack using other user interaction paradigms (e.g., other types of CAPTCHAs or typical web browsing interactions, and under longitudinal settings), and provide potential mitigation strategies to curb the impact of mouse movement eavesdropping.
A. Neupane and K. Satvat—Work done at UAB.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
InformAction: Noscript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? (2017). https://noscript.net/. Accessed 28 Oct 2017
Ahmed, A.A.E., Traore, I.: Anomaly intrusion detection based on biometrics. In: IEEE SMC Information Assurance Workshop (2005)
Ahmed, A.A.E., Traore, I.: A new biometric technology based on mouse dynamics. IEEE Trans. Dependable Secur. Comput. 4, 165–179 (2007)
Bergadano, F., Gunetti, D., Picardi, C.: Identity verification through dynamic keystroke analysis. Intell. Data Anal. 7, 469–496 (2003)
Chrome Blog: Everyone can now track down noisy tabs (2017). https://goo.gl/mojwB2. Accessed 19 May 2017
Brodic, D., Petrovska, S., Jankovic, R., Amelio, A., Draganov, I.: User-centric analysis of the CAPTCHA response time: a new perspective in artificial intelligence. ERCIM News 109, 49–50 (2017)
Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Security and Privacy (S&P) (2010)
Carlson, E.L.: Phishing for elderly victims: as the elderly migrate to the internet fraudulent schemes targeting them follow. Elder LJ (2006)
Chen, M.C., Anderson, J.R., Sohn, M.H.: What can a mouse cursor tell us more?: correlation of eye/mouse movements on web browsing. In: Extended Abstracts on Human Factors in Computing Systems (2001)
Datta, A., Tschantz, M.C., Datta, A.: Automated experiments on ad privacy settings. Priv. Enhancing Technol. 2015, 92–112 (2015)
Dowland, P.S., Furnell, S.M.: A long-term trial of keystroke profiling using digraph, trigraph and keyword latencies. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) SEC 2004. ITIFIP, vol. 147, pp. 275–289. Springer, Boston, MA (2004). https://doi.org/10.1007/1-4020-8143-X_18
Eccles, L.: Money mail reveals why shops want your email address (2016). https://goo.gl/9jFtfr. Accessed 24 Sept 2018
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Eckersley, P.: Panopticlick (2010). https://panopticlick.eff.org. Accessed 28 Oct 2017
Epp, C., Lippold, M., Mandryk, R.L.: Identifying emotional states using keystroke dynamics. In: SIGCHI Conference on Human Factors in Computing Systems. ACM (2011)
Fairhurst, M., Da Costa-Abreu, M.: Using keystroke dynamics for gender identification in social network environment. In: Imaging for Crime Detection and Prevention 2011 (ICDP 2011). IET (2011)
Firefox: Mute sound in Firefox tabs (2017). https://goo.gl/KeA80E. Accessed 19 May 2017
FunCaptcha: reCAPTCHA: easy on humans, hard on bots (2017). https://www.funcaptcha.com/. Accessed 13 May 2017
Gao, S., Mohamed, M., Saxena, N., Zhang, C.: Emerging image game CAPTCHAs for resisting automated and human-solver relay attacks. In: Annual Computer Security Applications Conference (2015)
Google Chrome: Change website permissions - google chrome (2017). https://goo.gl/OhoO5H. Accessed 19 May 2017
Henry, N., Powell, A.: Embodied harms gender, shame, and technology-facilitated sexual violence. Violence Against Women 21, 758–779 (2015)
Hertzum, M., Hornbæk, K.: How age affects pointing with mouse and touchpad: a comparison of young, adult, and elderly users. Int. J. Hum.-Comput. Interact. 26, 703–734 (2010)
Hocquet, S., Ramel, J., Cardot, H.: Users authentication by a study of human computer interactions. In: Proceedings of the Eighth Annual (Doctoral) Meeting on Health, Science and Technology (2004)
Hu, J., Zeng, H.J., Li, H., Niu, C., Chen, Z.: Demographic prediction based on user’s browsing behavior. In: International Conference on World Wide Web (2007)
HuffingtonPost: ‘are you a human’ CAPTCHA game brings fun to web security (2018). https://goo.gl/aEWa4e. Accessed 27 March 2018
Facebook Inc.: Data policy (2018). https://www.facebook.com/policy.php. Accessed 19 Sept 2018
Google Inc.: reCAPTCHA: Easy on humans, hard on bots (2017). https://goo.gl/oL49TZ. Accessed 17 May 2017
Google Inc.: Privacy policy - Google (2018). https://goo.gl/fwnohr. Accessed 19 Sept 2018
James, M.S.: Why do they want my phone number? (2016). https://goo.gl/EWoyqT. Accessed 24 Sept 2018
Joyce, R., Gupta, G.: Identity authentication based on keystroke latencies. Commun. ACM 33, 168–176 (1990)
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP) (2016)
Li, Q.: Cyberbullying in schools: a research of gender differences. Sch. Psychol. Int. 27, 157–170 (2006)
Maxion, R.A., Killourhy, K.S.: Keystroke biometrics with number-pad input. In: Dependable Systems and Networks (DSN) (2010)
Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game captcha usability and detection of streaming-based farming. In: Workshop on Usable Security (USEC), co-located with NDSS (2014)
Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (2014)
Mohamed, M., Saxena, N.: Gametrics: towards attack-resilient behavioral authentication with simple cognitive games. In: Annual Conference on Computer Security Applications (2016)
Monaro, M., Gamberini, L., Sartori, G.: The detection of faked identity using unexpected questions and mouse dynamics. PloS One (2017)
Mouseflow (2017). https://mouseflow.com/. Accessed 13 May 2017
Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: Proceedings of W2SP (2011)
Mulazzani, M., et al.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: Web 2.0 Workshop on Security and Privacy (W2SP) (2013)
Olejnik, L., Castelluccia, C.: Of mice and men: mouse movements tracking and browser UI protections
Pentel, A.: Predicting age and gender by keystroke dynamics and mouse patterns. In: Conference on User Modeling, Adaptation and Personalization (2017)
Radinsky, K., Svore, K.M., Dumais, S., Teevan, J., Bocharov, A., Horvitz, E.: Modeling and predicting behavioral dynamics on the web (2012)
Rodden, K., Fu, X.: Exploring how mouse movements relate to eye movements on web search results pages. In: Web Information Seeking and Interaction (2007)
Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P) (2016)
The WindowsClub: how to setup Firefox permission manager for websites (2017). https://goo.gl/PNOozZ. Accessed 19 May 2017
Tor: Tor project: Torbutton (2017). https://www.torproject.org/docs/torbutton. Accessed 13 May 2017
Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: Symposium on Usable Privacy and Security (2012)
Walker, N., Millians, J., Worden, A.: Mouse accelerations and performance of older computer users. In: Human Factors and Ergonomics Society Annual Meeting. SAGE Publications (1996)
Wang, G., Konolige, T., Wilson, C., Wang, X., Zheng, H., Zhao, B.Y.: You are how you click: clickstream analysis for sybil detection. In: USENIX Security Symposium (2013)
Wordpress: Are you a human - the fun spam blocker (2017). https://goo.gl/pszcYQ. Accessed 13 May 2017
WSJ: Facebook tests software to track your cursor on screen (2013). https://goo.gl/tM3zxu
Yamauchi, T.: Mouse trajectories and state anxiety: feature selection with random forest. In: IEEE Affective Computing and Intelligent Interaction (ACII) (2013)
Yamauchi, T., Seo, J.H., Jett, N., Parks, G., Bowman, C.: Gender differences in mouse and cursor movements. Int. J. Hum.-Comput. Interact. 31, 911–921 (2015)
Zheng, N., Paloski, A., Wang, H.: An efficient user verification system via mouse movements. In: Conference on Computer and Communications Security (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
An instance of game CAPTCHA. Targets (left) are static and moving objects (right) are mobile. The task of the user is to drag-drop a subset of moving objects to their corresponding target locations.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Shrestha, P., Saxena, N., Neupane, A., Satvat, K. (2019). CATCHA: When Cats Track Your Movements Online. In: Heng, SH., Lopez, J. (eds) Information Security Practice and Experience. ISPEC 2019. Lecture Notes in Computer Science(), vol 11879. Springer, Cham. https://doi.org/10.1007/978-3-030-34339-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-34339-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34338-5
Online ISBN: 978-3-030-34339-2
eBook Packages: Computer ScienceComputer Science (R0)