Shortcomings in CAPTCHA Design and Implementation: Captcha2, a Commercial Proposal

Many CAPTCHA proposals have shortcomings in their design or implementation that make them much weaker than intended. In this paper we study Captcha2, a commercial algorithm, as a means of showing typical flaws that make many CAPTCHAs prone to successful low-cost attacks. The attack we present makes no use of any AI techniques, not affecting the resilience of the original AI problem this CAPTCHA is (supposedly) based upon. That’s why it can be considered a pure side-channel attack. We conclude with some tips for improving this CAPTCHA, which can be also used as general guidelines for avoiding a certain family of very common flaws.

[1]  Michael W. Godfrey,et al.  Reverse Engineering CAPTCHAs , 2008, 2008 15th Working Conference on Reverse Engineering.

[2]  Henry S. Baird,et al.  BaffleText: a Human Interactive Proof , 2003, IS&T/SPIE Electronic Imaging.

[3]  Moni Naor,et al.  VERI CATION OF A HUMAN IN THE LOOP OR IDENTI CATION VIA THE TURING TEST , 1996 .

[4]  Arturo Ribagorda,et al.  Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study , 2010, Comput. Secur..

[5]  Arturo Ribagorda,et al.  Remotely Telling Humans and Computers Apart: An Unsolved Problem , 2009, iNetSeC.

[6]  J.C. Hernandez,et al.  Compulsive voting , 2002, Proceedings. 36th Annual 2002 International Carnahan Conference on Security Technology.

[7]  Jeff Yan,et al.  Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[8]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[9]  Jeff Yan,et al.  A low-cost attack on a Microsoft captcha , 2008, CCS.

[10]  J. Doug Tygar,et al.  Image Recognition CAPTCHAs , 2004, ISC.

[11]  Laura A. Dabbish,et al.  Labeling images with a computer game , 2004, AAAI Spring Symposium: Knowledge Collection from Volunteer Contributors.

[12]  J. Davenport Editor , 1960 .

[13]  Mary Czerwinski,et al.  Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs) , 2005, CEAS.

[14]  Jon Howell,et al.  Asirra: a CAPTCHA that exploits interest-aligned manual image categorization , 2007, CCS '07.

[15]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[16]  Philippe Golle,et al.  Machine learning attacks against the Asirra CAPTCHA , 2008, CCS.

[17]  Philippe Golle,et al.  Preventing bots from playing online games , 2005, CIE.

[18]  Arturo Ribagorda,et al.  Side-channel attack on labeling CAPTCHAs , 2009, ArXiv.