论文信息 - Employing Response Time Constraints to Mitigate CAPTCHA Relay Attacks

Employing Response Time Constraints to Mitigate CAPTCHA Relay Attacks

Existing CAPTCHA systems are majorly single challenge-response systems that makes it easy for automated scripts such as bots and zombies to answer the test. A Multiple CAPTCHA Challenge-Response Systems (M-CRs) was introduced in [10] as a means of overcoming the inadequacies of the single challenge-response system. Unfortunately, attackers now use unsuspecting humans rather than automated script to solve CAPTCHAs at a price. This scenario, reffered to as CAPTCHA relay attack, has therefore emerged as a new challenge to authentication in online transactions. In this paper, we employ response time constraints as a measure to mitigate CAPTCHA relay attacks. The mechanism utilize time between responses as a way of differentiating humans from automated scripts. A genuine user is granted access to system resources when the CAPTCHAs are solved within specified time limits. Lack of response to solving multiple CAPTCHAs are taken as emanating from automated scripts. By so doing, attacker using relay tactics end up having incomplete solution for the challenge and thus a denial of service response to protected online resources

U. C. Ugwuoke

[1] Moni Naor,et al. VERI CATION OF A HUMAN IN THE LOOP OR IDENTI CATION VIA THE TURING TEST , 1996 .

[2] Gerhard P. Hancke,et al. A Practical Relay Attack on ISO 14443 Proximity Cards , 2005 .

[3] John Langford,et al. CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[4] Craig Gentry,et al. Secure distributed human computation , 2005, EC '05.

[5] Paul C. van Oorschot,et al. On countering online dictionary attacks with login histories and humans-in-the-loop , 2006, TSEC.

[6] Jeffrey K. MacKie-Mason,et al. Security when people matter: structuring incentives for user behavior , 2007, ICEC.

[7] Martin Hlavác,et al. A Note on the Relay Attacks on e-passports: The Case of Czech e-passports , 2007, IACR Cryptol. ePrint Arch..

[8] Dependent CAPTCHAs : Preventing the Relay Attack , 2007 .

[9] Stefan Köpsell,et al. How to achieve blocking resistance for existing systems enabling anonymous web surfing , 2004, WPES '04.

[10] Avishai Wool,et al. Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).