Existing CAPTCHA solutions are a major source of user frustration on the Internet today, frequently forcing companies to lose customers and business. Game CAPTCHAs are a promising approach which may make CAPTCHA solving a fun activity for the user. One category of such CAPTCHAs – called Dynamic Cognitive Game (DCG) CAPTCHA – challenges the user to perform a game-like cognitive (or recognition) task interacting with a series of dynamic images. Specifically, it takes the form of many objects floating around within the images, and the user’s task is to match the objects corresponding to specific target(s), and drag/drop them to the target region(s).
In this paper, we pursue a comprehensive analysis of DCG CAPTCHAs. We design and implement such CAPTCHAs, and dissect them across four broad but overlapping dimensions: (1) usability, (2) fully automated attacks, (3) human-solving relay attacks, and (4) hybrid attacks that combine the strengths of automated and relay attacks. Our study shows that DCG CAPTCHAs are highly usable, even on mobile devices and offer some resilience to relay attacks, but they are vulnerable to our proposed automated and hybrid attacks.
L.V.Ahn, M.Blum, N.J.Hopper and J.Langford, CAPTCHA: Using hard AI problems for security, in: EUROCRYPT, 2003.
2.
Are you a human, http://areyouahuman.com/.
3.
H.S.Baird and J.L.Bentley, Implicit captchas, in: Electronic Imaging, 2005.
4.
A.Basso and F.Bergadano, Anti-bot strategies based on human interactive proofs, in: Handbook of Information and Communication Security2010, pp. 273–291.
5.
J.Brooke, SUS-a quick and dirty usability scale, in: Usability Evaluation in Industry, 1996, pp. 189–194.
6.
E.Bursztein, S.Bethard, C.Fabry, J.Mitchell and D.Jurafsky, How good are humans at solving CAPTCHAs? A large scale evaluation, in: IEEE Symposium on Security and Privacy, 2010.
7.
C.-C.Chang and C.-J.Lin, LIBSVM: A library for support vector machines, ACM Transactions on Intelligent Systems and Technology2(3) (2011).
8.
K.Chellapilla, K.Larson, P.Simard and M.Czerwinski, Designing human friendly human interaction proofs (HIPs), in: ACM CHI, 2005.
9.
S.Chen, M.Shyu, C.Zhang and R.L.Kashyap, Identifying overlapped objects for video indexing and modeling in multimedia database systems, International Journal on Artificial Intelligence Tools (2001).
10.
M.Chew and H.S.Baird, Baffletext: A human interactive proof, in: Electronic Imaging, 2003.
11.
Cracking the AreYouAHuman Captcha, http://spamtech.co.uk/software/bots/cracking-the-areyouhuman-captcha/.
12.
D.Danchev, Inside India’s CAPTCHA solving economy, available at: http://blogs.zdnet.com/security/?p=1835.
13.
C.Doctorow, Solving and creating CAPTCHAs with free porn, in: Boing Boing, 2004, available at: http://www.boingboing.net/2004/01/27/solving_and_creating.html.
14.
M.Egele, L.Bilge, E.Kirda and C.Kruegel, CAPTCHA smuggling: Hijacking web browsing sessions to create CAPTCHA farms, in: ACM Symposium on Applied Computing, 2010.
15.
J.Elson, J.R.Douceur, J.Howell and J.Saul, Asirra: A CAPTCHA that exploits interest-aligned manual image categorization, in: ACM CCS, 2007.
16.
J.H.Friedman, J.L.Bentley and R.A.Finkel, An algorithm for finding best matches in logarithmic expected time, ACM Transactions on Mathematical Software (TOMS)3(3) (1977).
17.
S.Gao, M.Mohamed, N.Saxena and C.Zhang, Gaming the game: Defeating a game CAPTCHA with efficient and robust hybrid attacks, in: IEEE International Conference on Multimedia and Expo (ICME), IEEE, 2014.
18.
C.Gentry, Z.Ramzan and S.Stubblebine, Secure distributed human computation, in: ACM Conference on Electronic Commerce, EUROCRYPT, 2005.
19.
J.N.Gross, CAPTCHA using challenges optimized for distinguishing between humans and machines, 2009, US Patent App. 12/484,800.
20.
J.M.G.Hidalgo and G.Alvarez, CAPTCHAs: An artificial intelligence application to web security, Advances in Computers83 (2011).
K.Kluever, Breaking the PayPal.com CAPTCHA, 2008, available at: http://www.kloover.com/2008/05/12/breaking-the-paypalcom-captcha/.
23.
K.A.Kluever and R.Zanibbi, Balancing usability and security in a video CAPTCHA, in: Symposium on Usable Privacy and Security, 2009.
24.
J.Lewis and J.Sauro, The factor structure of the system usability scale, in: Human Computer Interaction International Conference (HCII), 2009.
25.
M.Mohamed, S.Gao, N.Saxena and C.Zhang, Dynamic cognitive game CAPTCHA usability and detection of streaming-based farming, in: The Workshop on Usable Security (USEC), co-located with NDSS, 2014.
26.
M.Mohamed, N.Sachdeva, M.Georgescu, S.Gao, N.Saxena, C.Zhang, P.Kumaraguru, P.C.van Oorschot and W.-B.Chen, A three-way investigation of a game-CAPTCHA: Automated attacks, relay attacks and usability, in: ACM Symposium on Information, Computer and Communications Security, ACM, 2014.
27.
M.Motoyama, K.Levchenko, C.Kanich, D.McCoy, G.M.Voelker and S.Savage, Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context, in: USENIX Security, 2010, pp. 435–462.
28.
S.Prasad, Google’s CAPTCHA busted in recent spammer tactics, 2008, available at: http://securitylabs.websense.com/content/Blogs/2919.aspx.
29.
G.Reynaga, The usability of Captchas on mobile devices, PhD thesis, Carleton University Ottawa, 2015.
30.
A.Rusu and V.Govindaraju, Handwritten CAPTCHA: Using the difference in the abilities of humans and machines in reading handwritten words, in: Frontiers in Handwriting Recognition, 2004.
31.
G.Sauer, H.Hochheiser, J.Feng and J.Lazar, Towards a universally usable CAPTCHA, in: SOUPS, 2008.
32.
M.Shirali-Shahreza and S.Shirali-Shahreza, Collage captcha, in: Signal Processing and Its Applications, 2007.
33.
D.Stefan and D.Yao, Keystroke-dynamics authentication against synthetic forgeries, in: CollaborateCom, 2010.
34.
M.J.Swain and D.H.Ballard, Indexing via color histograms, in: Active Perception and Robot Vision, 1992.
35.
SWF encrypt: Encrypt, obfuscate & protect your flash SWF ActionScript & resources from decompilers. http://www.amayeta.com/software/swfencrypt/.
36.
L.Von Ahn and L.Dabbish, Labeling images with a computer game, in: SIGCHI Conference on Human Factors in Computing Systems, 2004.
37.
L.Von Ahn, B.Maurer, C.McMillen, D.Abraham and M.Blum, reCAPTCHA: Human-based character recognition via web security measures, Science321(5895) (2008).
38.
Y.Xu, G.Reynaga, S.Chiasson, J.-M.Frahm, F.Monrose and P.C.van Oorschot, Security and usability challenges of moving-object CAPTCHAs: Decoding codewords in motion, in: USENIX Security, 2012.
39.
J.Yan and A.S.El Ahmad, Usability of CAPTCHAs or usability issues in CAPTCHA design, in: SOUPS, 2008.
40.
J.Yan and A.S.El Ahmad, A low-cost attack on a Microsoft CAPTCHA, in: ACM Conference on Computer and Communications Security, 2008.
41.
C.Zhang, W.-B.Chen, X.Chen, R.Tiwari, L.Yang and G.Warner, A multimodal data mining framework for revealing common sources of spam images, Journal of Multimedia (2009).
42.
B.B.Zhu, J.Yan, Q.Li, C.Yang, J.Liu, N.Xu, M.Yi and K.Cai, Attacks and design of image recognition CAPTCHAs, in: ACM CCS, 2010.
