Security Analysis and Related Usability of Motion-Based CAPTCHAs: Decoding Codewords in Motion

We explore the robustness and usability of moving-image object recognition (video) CAPTCHAS, designing and implementing automated attacks based on computer vision techniques. Our approach is suitable for broad classes of moving-image CAPTCHAS involving rigid objects. We first present an attack that defeats instances of such a CAPTCHA (NuCaptcha) representing the state-of-the-art, involving dynamic text strings called codewords. We then consider design modifications to mitigate the attacks (e.g., overlapping characters more closely, randomly changing the font of individual characters, or even randomly varying the number of characters in the codeword). We implement the modified CAPTCHAS and test if designs modified for greater robustness maintain usability. Our lab-based studies show that the modified captchas fail to offer viable usability, even when the captcha strength is reduced below acceptable targets. Worse yet, our GPU-based implementation shows that our automated approach can decode these captchas faster than humans can, and we can do so at a relatively low cost of roughly 50 cents per 1,000 captchas solved based on Amazon EC2 rates circa 2012. To further demonstrate the challenges in designing usable captchas, we also implement and test another variant of moving text strings using the known emerging images concept. This variant is resilient to our attacks and also offers similar usability to commercially available approaches. We explain why fundamental elements of the emerging images idea resist our current attack where others fail.

[1]  Steven Bethard,et al.  Decaptcha: Breaking 75% of eBay Audio CAPTCHAs , 2009, WOOT.

[2]  David D. Cox,et al.  Opinion TRENDS in Cognitive Sciences Vol.11 No.8 Untangling invariant object recognition , 2022 .

[3]  Moni Naor,et al.  VERI CATION OF A HUMAN IN THE LOOP OR IDENTI CATION VIA THE TURING TEST , 1996 .

[4]  Jeff Yan,et al.  Usability of CAPTCHAs or usability issues in CAPTCHA design , 2008, SOUPS '08.

[5]  Andrea Vedaldi,et al.  Vlfeat: an open and portable library of computer vision algorithms , 2010, ACM Multimedia.

[6]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[7]  Xia Wang,et al.  A CAPTCHA Implementation Based on 3D Animation , 2009, 2009 International Conference on Multimedia Information Networking and Security.

[8]  Jon Howell,et al.  Asirra: a CAPTCHA that exploits interest-aligned manual image categorization , 2007, CCS '07.

[9]  Mary Czerwinski,et al.  Designing human friendly human interaction proofs (HIPs) , 2005, CHI.

[10]  Jan-Michael Frahm,et al.  Fast gain-adaptive KLT tracking on the GPU , 2008, 2008 IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops.

[11]  Gonzalo Álvarez,et al.  CAPTCHAs: An Artificial Intelligence Application to Web Security , 2011, Adv. Comput..

[12]  Christopher G. Harris,et al.  A Combined Corner and Edge Detector , 1988, Alvey Vision Conference.

[13]  John C. Mitchell,et al.  Text-based CAPTCHA strengths and weaknesses , 2011, CCS '11.

[14]  Leyla Bilge,et al.  CAPTCHA smuggling: hijacking web browsing sessions to create CAPTCHA farms , 2010, SAC '10.

[15]  Paul A. Viola,et al.  Rapid object detection using a boosted cascade of simple features , 2001, Proceedings of the 2001 IEEE Computer Society Conference on Computer Vision and Pattern Recognition. CVPR 2001.

[16]  Tong-Yee Lee,et al.  Emerging images , 2009, ACM Trans. Graph..

[17]  Xia Wang,et al.  A CAPTCHA Implementation Based on Moving Objects Recognition Problem , 2010, 2010 International Conference on E-Business and E-Government.

[18]  Francesco Bergadano,et al.  Anti-bot Strategies Based on Human Interactive Proofs , 2010, Handbook of Information and Communication Security.

[19]  Takeo Kanade,et al.  An Iterative Image Registration Technique with an Application to Stereo Vision , 1981, IJCAI.

[20]  Wen-Hung Liao,et al.  Embedding information within dynamic visual patterns , 2004, 2004 IEEE International Conference on Multimedia and Expo (ICME) (IEEE Cat. No.04TH8763).

[21]  John C. Mitchell,et al.  The Failure of Noise-Based Non-continuous Audio Captchas , 2011, 2011 IEEE Symposium on Security and Privacy.

[22]  Yang Peng,et al.  A 3-layer Dynamic CAPTCHA Implementation , 2010, 2010 Second International Workshop on Education Technology and Computer Science.

[23]  Shimon Ullman,et al.  Computational Studies in the Interpretation of Structure and Motion: Summary and Extension , 1983 .

[24]  M. Shirali-Shahreza,et al.  Motion CAPTCHA , 2008, 2008 Conference on Human System Interactions.

[25]  Richard Zanibbi,et al.  Balancing usability and security in a video CAPTCHA , 2009, SOUPS.

[26]  Mary Czerwinski,et al.  Building Segmentation Based Human-Friendly Human Interaction Proofs (HIPs) , 2005, HIP.

[27]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[28]  Jon Driver,et al.  Edge-Assignment and Figure–Ground Segmentation in Short-Term Visual Matching , 1996, Cognitive Psychology.

[29]  J. Yan,et al.  Captcha Robustness: A Security Engineering Perspective , 2011, Computer.

[30]  N. Kanwisher,et al.  PSYCHOLOGICAL SCIENCE Research Article Visual Recognition As Soon as You Know It Is There, You Know What It Is , 2022 .

[31]  John C. Mitchell,et al.  How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation , 2010, 2010 IEEE Symposium on Security and Privacy.

[32]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[33]  Douglas Lanman,et al.  BiDi screen: a thin, depth-sensing LCD for 3D interaction using light fields , 2009, SIGGRAPH 2009.

[34]  Chao Yang,et al.  Attacks and design of image recognition CAPTCHAs , 2010, CCS '10.

[35]  Jan-Michael Frahm,et al.  Security and Usability Challenges of Moving-Object CAPTCHAs: Decoding Codewords in Motion , 2012, USENIX Security Symposium.

[36]  Chris Kanich,et al.  Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context , 2010, USENIX Security Symposium.

[37]  Jeff Yan,et al.  Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[38]  Philippe Golle,et al.  Machine learning attacks against the Asirra CAPTCHA , 2008, CCS.

[39]  Stuart J. Russell,et al.  Image Segmentation in Video Sequences: A Probabilistic Approach , 1997, UAI.

[40]  Denis Fize,et al.  Speed of processing in the human visual system , 1996, Nature.

[41]  Howard B. Demuth,et al.  Neutral network toolbox for use with Matlab , 1995 .

[42]  R. Lowry,et al.  Concepts and Applications of Inferential Statistics , 2014 .

[43]  S. Ullman High-Level Vision: Object Recognition and Visual Cognition , 1996 .

[44]  E. Rolls High-level vision: Object recognition and visual cognition, Shimon Ullman. MIT Press, Bradford (1996), ISBN 0 262 21013 4 , 1997 .

[45]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[46]  Dimitris Gritzalis,et al.  Audio CAPTCHA: Existing solutions assessment and a new implementation for VoIP telephony , 2010, Comput. Secur..

[47]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[48]  H. Barlow Vision: A computational investigation into the human representation and processing of visual information: David Marr. San Francisco: W. H. Freeman, 1982. pp. xvi + 397 , 1983 .

[49]  Randolph G. Bias,et al.  Research Methods for Human-Computer Interaction , 2010, J. Assoc. Inf. Sci. Technol..