Top

Published in:

2019 | OriginalPaper | Chapter

A Simple Attack on CaptchaStar

Authors : Thomas Gougeon, Patrick Lacharme

Published in: Information Systems Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

CaptchaStar is a new type of Captcha, proposed in 2016, based on shape recovery. This paper shows that the security of this Captcha is not as good as intended. More precisely, we present and implement an efficient attack on CaptchaStar with a success rate of 96%. The impact of this attack is also investigated in other scenarios as noise addition, and it continues to be very efficient. This paper is a revised version of the paper entitled How to break CaptchaStar, presented at the conference ICISSP 2018 [29].

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORS

next chapter Notify This: Exploiting Android Notifications for Fun and Profit

Available only for authorised users

Captcha will be now written in lower-case for a better readability of the paper.

von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18CrossRef

von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47(2), 57–60 (2004)

von Ahn, L., Dabbish, L.: Labeling images with a computer game. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 319–326 (2004)

von Ahn, L., Dabbish, L.: Designing games with a purpose. Commun. ACM 51(8), 58–67 (2008)

von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: human-based character recognition via web security measures. Science 321, 1465–1468 (2008)MathSciNetCrossRef

Algwil, A., Ciresan, D., Liu, B.B., Yan, J.: A security analysis of automated Chinese turing tests. In: Annual Conference on Computer Security Applications (ACSAC), pp. 520–532 (2016)

Baird, H.S., Coates, A.L., Fateman, R.J.: PessimalPrint: a reverse turing test. Int. J. Doc. Anal. Recognit. 5(2–3), 158–163 (2003)CrossRef

Bursztein, E., Aigrain, J., Moscicki, A., Mitchell, J.C.: The end is nigh: generic solving of text-based CAPTCHAs. In: USENIX Workshop on Offensive Technologies (WOOT) (2014)

Bursztein, E., Beauxis, R., Paskov, H.S., Perito, D., Fabry, C., Mitchell, J.C.: The failure of noise-based non-continuous audio CAPTCHAs. In: IEEE Symposium on Security and Privacy (S&P), pp. 19–31 (2011)

10.

Bursztein, E., Bethard, S.: DeCAPTCHA: breaking 75% of ebay audio CAPTCHAs. In: USENIX Coference on Offensive Technologies (2009)

11.

Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Symposium on Security and Privacy (S&P), pp. 399–413 (2010)

12.

Bursztein, E., Martin, M., Mitchell, J.: Text-based CAPTCHA strengths and weaknesses. In: ACM Conference on Computer and Communications Security (CCS), pp. 125–138 (2011)

13.

Bursztein, E., Moscicki, A., Fabry, C., Bethard, S., Mitchell, J.C., Jurafsky, D.: Easy does it: more usable CAPTCHAs. In: Conference on Human Factors in Computing Systems (CHI), pp. 2637–2646 (2014)

14.

Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Building segmentation based human-friendly human interaction proofs (HIPs). In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 1–26. Springer, Heidelberg (2005). https://doi.org/10.1007/11427896_1CrossRef

15.

Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Designing human friendly human interaction proofs. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 711–720 (2005)

16.

Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (HIPs). In: Neural Information Processing Systems (NIPS), pp. 265–272 (2004)

17.

Chew, M., Tygar, J.D.: Image recognition CAPTCHAs. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 268–279. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8_23CrossRef

18.

Conti, M., Guarisco, C., Spolaor, R.: CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 611–628. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_33CrossRef

19.

Conti, M., Guarisco, C., Spolaor, R.: CAPTCHaStar demo (2016). http://captchastar.math.unipd.it/demo.php

20.

Cui, J.S., Mei, J.T., Zhang, W.Z., Wang, X., Zhang, D.: A CAPTCHA implementation based on moving objects recognition problem. In: IEEE International Conference on E-Business and E-Government (ICEE), pp. 1277–1280 (2010)

21.

Datta, R., Li, J., Wang, J.Z.: Imagination: a robust image-based CAPTCHA generation system. In: ACM International Conference on Multimedia, pp. 331–334 (2005)

22.

Elson, J., Douceur, J.R., Howell, J., Saul, J.: Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In: ACM Conference on Computer and Communications Security (CCS), pp. 366–374 (2007)

23.

Fidas, C., Voyiatzis, A., Avouris, N.: On the necessity of user-friendly CAPTCHA. In: SIGCHI Conference on Human Factors in Computing Systems (CHI), pp. 2623–2626 (2011)

24.

Gao, H., Wang, W., Qi, J., Wang, X., Liu, X., Yan, J.: The robustness of hollow CAPTCHAs. In: ACM Conference on Computer and Communications Security (CCS), pp. 1075–1086 (2013)

25.

Gao, H., et al.: A simple generic attack on text CAPTCHAs. In: Network and Distributed System Security Symposium (NDSS) (2016)

26.

Golle, P.: Machine learning attacks against the asirra CAPTCHA. In: ACM Conference on Computer and Communications Security (CCS), pp. 535–542 (2008)

27.

Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., Shet, V.D.: Multi-digit number recognition from street view imagery using deep convolutional neural networks. coRR abs/1312.6082 (2013)

28.

Gossweiler, R., Kamvar, M., Baluja, S.: What’s up CAPTCHA? A CAPTCHA based on image orientation. In: 18th International Conference on World Wide Web (WWW), pp. 841–850 (2008)

29.

Gougeon, T., Lacharme, P.: How to break CAPTCHaStar. In: 4th International Conference on Information Systems Security and Privacy (ICISSP), pp. 41–51 (2018)

30.

Hernández-Castro, C.J., R-Moreno, M.D., Barrero, D.F., Gibson, S.: Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis. Comput. Secur. 70, 744–756 (2017)CrossRef

31.

Hernández-Castro, C.J., Ribagorda, A.: Pitfalls in CAPTCHA design and implementation: the math CAPTCHA, a case study. Comput. Secur. 29, 141–157 (2010)CrossRef

32.

Hindle, A., Godfreya, M.W., Holt, R.C.: Reverse engineering CAPTCHAs (2008)

33.

Kim, J., Kim, S., Yang, J., Ryu, J., Wohn, K.: FaceCAPTCHA: a CAPTCHA that identifies the gender of face images unrecognized by existing gender classifiers. Multimed. Tools Appl. 72(2), 1215–1237 (2014)CrossRef

34.

Kim, J., Chung, W., Cho, H.: A new image-based CAPTCHA using the orientation of the polygonally cropped sub-images. Vis. Comput. 26, 1135–1143 (2010)CrossRef

35.

Kluever, K.A., Zanibbi, R.: Balancing usability and security in a video CAPTCHA. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2009)

36.

Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game CAPTCHA usability and detection of streaming-based farming. In: Workshop NDSS on Usable Security (USEC) (2014)

37.

Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 195–206 (2014)

38.

Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: Conference on Computer Vision and Pattern Recognition (CVPR), pp. 133–144 (2003)

39.

Motoyama, M., Levchenko, K., Kanich, C., McCoy, D., Voelker, G.M., Savage, S.: Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In: USENIX Security Symposium, vol. 10, pp. 435–462 (2010)

40.

Naor, M.: Verification of a human in the loop or identification via the turing test (1996)

41.

Nejati, H., Cheung, N.M., Sosa, R., Koh, D.C.I.: DeepCAPTCHA: an image CAPTCHA based on depth perception. In: ACM Multimedia Systems Conference (MMSys), pp. 81–90 (2014)

42.

Nguyen, V.D., Chow, Y.W., Susilo, W.: On the security of text-based 3D CAPTCHAs. Comput. Secur. 45, 84–99 (2014)CrossRef

43.

Osadchy, M., Hernandez-Castro, J., Gibson, S., Dunkelman, O., Perez-Cabo, D.: No bot expects the deepCAPTCHA! Introducing immutable adversarial examples with applications to CAPTCHA. iACR Cryptology ePrint Archive (2016)

44.

Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: ACM Computer and Security Conference (CCS), pp. 161–170 (2002)

45.

Rui, Y., Liu, Z.: Artifacial: automated reverse turing test using facial features. Multimed. Syst. 9(6), 493–502 (2004)CrossRef

46.

Shirali-Shahreza, S., Shirali-Shahreza, M.: CAPTCHA for children. In: IEEE International Conference on System of Systems Engineering (SoSE), pp. 1–6 (2008)

47.

Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)

48.

Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 388–403 (2016)

49.

Tam, J., Simsa, J., Hyde, S., von Ahn, L.: Breaking audio CAPTCHAs. In: Advances in Neural Information Processing Systems (NIPS), pp. 1625–1632 (2008)

50.

Thomas, K., McCoy, D., Grier, C., Kolcz, A., Paxson, V.: Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse. In: USENIX Security Symposium. pp. 195–210 (2013)

51.

Truong, H.D., Turner, C.F., Zou, C.C.: iCAPTCHA: the next generation of CAPTCHA designed to defend against 3rd party human attacks. In: IEEE International Conference on Communications (ICC), pp. 1–6 (2011)

52.

Turing, A.M.: Computing machinery and intelligence. Mind 59(236), 433–460 (1950)MathSciNetCrossRef

53.

Wilkins, J.: Strong CAPTCHA guidelines. Technical Report (v1.2) (2009)

54.

Xu, Y., Reynaga, G., Chiasson, S., Frahm, J.M., Monrose, F., van Oorschot, P.C.: Security and usability challenges of moving-object CAPTCHAs: decoding codewords in motion. In: USENIX Security Symposium, pp. 49–64 (2012)

55.

Yan, J., Ahmad, A.S.E.: Breaking visual CAPTCHAs with naive pattern recognition algorithms. In: Annual Computer Security Applications Conference (ACSAC), pp. 279–291 (2007)

56.

Yan, J., Ahmad, A.S.E.: A low-cost attack on a Microsoft CAPTCHA. In: ACM Conference on Computer and communications security (CCS), pp. 543–554 (2007)

57.

Yan, J., Ahmad, A.S.E.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: 4th Symposium on Usable Privacy and Security (SOUPS), pp. 44–52 (2008)

58.

Yan, J., Ahmad, A.S.E.: CAPTCHA security: a case study. IEEE Secur. Priv. 7(4), 22–28 (2009)CrossRef

59.

Zhu, B.B., et al.: Attacks and design of image recognition CAPTCHAs. In: ACM Conference on Computer and Communications Security (CCS), pp. 187–200 (2010)

Title: A Simple Attack on CaptchaStar
Authors: Thomas Gougeon
Patrick Lacharme
Publisher: Springer International Publishing
Book: Information Systems Security and Privacy
Print ISBN: 978-3-030-25108-6

Electronic ISBN: 978-3-030-25109-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-25109-3_4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner