A SURVEY AND ANALYSIS OF CURRENT CAPTCHA APPROACHES
Keywords:
Web information systems, Security, CAPTCHAsAbstract
Computer programs are misusing Internet services designed for humans. A CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart, is a standard security mechanism to defend against such attacks. Two fundamental issues with CAPTCHAs are usability and robustness. It is important for a CAPTCHA to be both legible for humans and strong against malicious computer programs. Recently, computer vision and pattern recognition algorithms have broken many well-known CAPTCHAs. Lack of security and usability in CAPTCHAs designed to protect popular websites such as Gmail and Yahoo mail, with almost 500 million users in July 2011, would cause huge problems. Therefore, security researchers have become motivated to discover techniques to improve CAPTCHAs. Exploiting the gap in the recognition abilities between humans and computers is a key point to design a CAPTCHA that is hard-to-break for machines but easy-tosolve for humans. In this paper, we introduce current CAPTCHAs and attacks against them; we investigate the robustness and usability of current CAPTCHAs and discuss ideas to develop more robust and usable CAPTCHAs.
Downloads
References
L. Von Ahn, M. Blum, and J. Langford, "Telling humans and computers apart
automatically," Communications of the ACM, vol. 47, pp. 56-60, 2004.
A. L. Coates, H. S. Baird, and R. J. Fateman, "PessimalPrint: a reverse Turing test,"
International Journal on Document Analysis and Recognition, vol. 5, pp. 158-163, 2003.
J. Yan, "Bot, cyborg and automated turing test," in Security Protocols Workshop, 2006, pp.
-197.
H. Baird and K. Popat, "Human interactive proofs and document image analysis," presented
at the The 5th IAPR International Workshop on Document Analysis Systems (DAS 2002),
E. Bursztein, S. Bethard, C. Fabry, J. C. Mitchell, and D. Jurafsky, "How good are humans at
solving CAPTCHAs? a large scale evaluation," in 2010 IEEE Symposium on Security and
Privacy (SP), 2010, pp. 399-413.
C. Pope and K. Kaur, "Is it human or computer? Defending e-commerce with CAPTCHAs,"
IT professional, vol. 7, pp. 43-49, 2005.
M. Blum, L. Von Ahn, J. Langford, and N. Hopper, "The CAPTCHA project,“Completely
automatic public turing test to tell computers and humans apart,”" Dept. of Computer
Science, Carnegie-Mellon University, www. captcha. net, 2000.
T. Converse, "CAPTCHA generation as a web service," Human Interactive Proofs, vol.
, pp. 82-96, 2005.
L. Von Ahn, B. Maurer, C. McMillen, D. Abraham, and M. Blum, "reCAPTCHA: Humanbased
character recognition via web security measures," Science, vol. 321, pp. 1465-1468,
M. Chew and J. Tygar, "Collaborative filtering CAPTCHAs," The 2nd International
Conference on Human Interactive Proofs (HIP 2005), pp. 66-81, May 2005.
(2008, October 8, 2012). reCAPTCHA. Available: http://www.google.com/recaptcha
M. Shirali-Shahreza, "Highlighting CAPTCHA," in 2008 Conference on Human System
Interactions, 2008, pp. 247-250.
K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski, "Designing human friendly human
interaction proofs (HIPs)," in ACM Conference on Human Factors in Computing Systems
(CHI 05), 2005, pp. 711-720.
M. Chew and H. S. Baird, "Baffletext: A human interactive proof," presented at the 10th
Document Recognition & Retrieval Conference (SPIE), 2003.
G. Kepes, "Language of vision.[Chicago], P," ed: Theobald, 1944.
A. Rusu, A. Thomas, and V. Govindaraju, "Generation and use of handwritten CAPTCHAs,"
International journal on document analysis and recognition, vol. 13, pp. 49-64, 2010.
H. S. Baird, M. A. Moll, and S. Y. Wang, "ScatterType: A legible but hard-to-segment
CAPTCHA," in 8th International Conference on Document Analysis and Recognition, 2005,
pp. 935-939.
(2012, Oct. 8). ebay. Available: www.ebay.ca
(2012, Oct. 8). PHP Class CAPTCHA. Available: http://www.nogajski.de/priv/php/captcha/
(2012, Jan. 8). MegaUpload. Available: www.megaupload.com
A. Gupta, A. Jain, A. Raj, and A. Jain, "sequenced tagged CAPTCHA: generation and its
analysis," in IEEE International Advance Computing Conference 2009 (IACC 2009), 2009,
pp. 1286-1291.
A. Raj, A. Jain, T. Pahwa, and A. Jain, "Analysis of tagging variants of Sequenced Tagged
CAPTCHA (STC)," in IEEE Toronto International Conference on Science and Technology
for Humanity (TIC-STH 2009), 2009, pp. 427-432.
A. O. Thomas, A. Rusu, and V. Govindaraju, "Synthetic handwritten CAPTCHAs," Pattern
Recognition, vol. 42, pp. 3365-3373, 2009.
P. Lupkowski and M. Urbanski, "SemCAPTCHA—user-friendly alternative for OCR-based
CAPTCHA systems," in International Multiconference on Computer Science and
Information Technology (IMCSIT 2008), 2008, pp. 325-329.
T. Yamamoto, J. Tygar, and M. Nishigaki, "CAPTCHA using strangeness in machine
translation," in The 24th IEEE International Conference on Advanced Information
Networking and Applications (AINA), 2010, pp. 430-437.
R. Bergmair and S. Katzenbeisser, "Towards human interactive proofs in the text-domain:
Using the problem of sense-ambiguity for security," presented at the The 7th International
Information Security Conference (ISC 2004), 2004.
A. Desai and P. Patadia, "Drag and Drop: A Better Approach to CAPTCHA," in Annual
IEEE India Conference (INDICON), 2009, pp. 1-4.
P. Golle and N. Ducheneaut, "Keeping bots out of online games," in The 2005 ACM SIGCHI
International Conference on Advances in computer entertainment technology (ACE '05),
, pp. 262-265.
H. D. Truong, C. F. Turner, and C. C. Zou, "iCAPTCHA: the next generation of CAPTCHA
designed to defend against 3rd party human attacks," in IEEE International Conference on
Communications (ICC), 2011, pp. 1-6.
B. Khan, K. Alghathbar, M. Khan, A. AlKelabi, and A. AlAjaji, "Using Arabic CAPTCHA
for Cyber Security," in Security Technology, Disaster Recovery and Business Continuity. vol.
, ed: Springer Berlin Heidelberg, 2010, pp. 8-17.
M. S. Shahreza, "Verifying Spam SMS by Arabic CAPTCHA," in 2nd IEEE International
Conference on Information and Communication Technologies (ICTTA '06), 2006, pp. 78-83.
M. Shirali-Shahreza and S. Shirali-Shahreza, "Collage CAPTCHA," in 9th International
Symposium on Signal Processing and Its Applications (ISSPA 2007), 2007, pp. 1-4.
M. H. Shirali-Shahreza and M. Shirali-Shahreza, "Multilingual CAPTCHA," in 5th IEEE
International Conference on Computational Cybernetics (ICCC 2007), 2007, pp. 135-139.
J. Elson, J. R. Douceur, J. Howell, and J. Saul, "Asirra: a CAPTCHA that exploits interestaligned
manual image categorization," 14th ACM conference on Computer and
Communications Security (CCS 2007), pp. 366-374, Oct.-Nov. 2007.
R. Datta, J. Li, and J. Z. Wang, "IMAGINATION: a robust image-based CAPTCHA
generation system," in 13th ACM International Conference on Multimedia (Multimedia 05),
, pp. 331-334.
R. Datta, J. Li, and J. Z. Wang, "Exploiting the Human-Machine Gap in Image Recognition
for Designing CAPTCHAs," IEEE Transactions on Information Forensics and Security, vol.
, pp. 504-518, Sep 2009.
E. Vimina and A. U. Areekal, "Telling computers and humans apart automatically using
activity recognition," in IEEE International Coneference on Systems, Man and Cybernetics
(SMC 2009), 2009, pp. 4906-4909.
H. S. Baird and J. L. Bentley, "Implicit CAPTCHAs," in SPIE-IS&T Electronic Imaging,
Document Recognition and Retrieval, 2005, pp. 191-196.
M. Shirali-Shahreza and S. Shirali-Shahreza, "Drawing CAPTCHA," in 28th International
Conference on Information Technology Interfaces (ITI 2006), Cavtat, Dubrovnik, Croatia,
, pp. 475-480.
A. Karunathilake, B. Balasuriya, and R. Ragel, "User friendly line CAPTCHAs," in
International Conference on Industrial and Information Systems (ICIIS 2009), 2009, pp. 210-
Y. Rui and Z. Liu, "ARTiFACIAL: automated reverse turing test using FACIAL features,"
Multimedia Systems, vol. 9, pp. 493-502, 2004.
W. H. Liao, "A CAPTCHA mechanism by exchange image blocks," in 18th International
Conference on Pattern Recognition (ICPR 2006), 2006, pp. 1179-1183.
H. Gao, D. Yao, H. Liu, X. Liu, and L. Wang, "A Novel Image Based CAPTCHA Using
Jigsaw Puzzle," in 13th IEEE International Conference on Computational Science and
Engineering (CSE), 2010, pp. 351-356.
M. Banday and N. Shah, "Image flip CAPTCHA," ISC International Journal of Information
Security (ISeCure), vol. 1, pp. 105-123, 2009.
R. Gossweiler, M. Kamvar, and S. Baluja, "What's up CAPTCHA?: a CAPTCHA based on
image orientation," in 18th International Conference on World Wide Web 2009, pp. 841-850.
S. A. Ross, J. A. Halderman, and A. Finkelstein, "Sketcha: a CAPTCHA based on line
drawings of 3D models," in 19th International Conference on World Wide Web, 2010, pp.
-830.
J. W. Kim, W. K. Chung, and H. G. Cho, "A new image-based CAPTCHA using the
orientation of the polygonally cropped sub-images," The Visual Computer, vol. 26, pp. 1135-
, 2010.
M. E. Hoque, D. J. Russomanno, and M. Yeasin, "2D CAPTCHAs from 3D models," in
IEEE SoutheastCon 2006, 2005, pp. 165-170.
(Jan. 1, 2012). Spamfizzle CAPTCHA. Available: http://spamfizzle.com/CAPTCHA.aspx
M. Imsamai and S. Phimoltares, "3D CAPTCHA: A next generation of the CAPTCHA," in
International Conference on Information Science and Applications (ICISA), 2010, pp. 1-8.
E. Bursztein, R. Beauxis, H. Paskov, D. Perito, C. Fabry, and J. Mitchell, "The Failure of
Noise-Based Non-continuous Audio CAPTCHAs," in 2011 IEEE Symposium on Security and
Privacy (SP), 2011, pp. 19-31.
S. Shirali-Shahreza, H. Abolhassani, H. Sameti, and M. H. Shirali-Shahreza, "Spoken
CAPTCHA: A CAPTCHA system for blind users," in ISECS International Colloquium on
Computing, Communication, Control, and Management (CCCM 2009), 2009, pp. 221-224.
T. Y. Chan, "Using a test-to-speech synthesizer to generate a reverse Turing test," in IEEE
International Conference on Tools with Artificial Intelligence (ICTAI 2003), 2003, pp. 226-
G. Sauer, H. Hochheiser, J. Feng, and J. Lazar, "Towards a universally usable CAPTCHA,"
in 4th Symposium On Usable Privacy and Security (SOUPS '08), Pittsburgh, 2008.
G. Kochanski, D. Lopresti, and C. Shih, "A reverse turing test using speech," in 7th
International Conference on Spoken Language Processing, 2002, pp. 1357-1360.
(2010, October 8, 2012). NUCAPTCHA. Available: http://www.nucaptcha.com/
(October 8, 2012). HelloCAPTCHA. Available: http://www.hellocaptcha.com/
E. Athanasopoulos and S. Antonatos, "Enhanced CAPTCHAs: Using animation to tell
humans and computers apart," in 10th International Conference on Communications and
Multimedia Security (CMS 2006), 2006, pp. 97-108.
J. S. Cui, J. T. Mei, W. Z. Zhang, X. Wang, and D. Zhang, "A CAPTCHA implementation
based on moving objects recognition problem," in International Conference on E-Business
and E-Government (ICEE), 2010, pp. 1277-1280.
M. Shirali-Shahreza and S. Shirali-Shahreza, "Dynamic CAPTCHA," in International
Symposium on Communications and Information Technologies (ISCIT), 2008, pp. 436-440.
O. Longe, A. Robert, and U. Onwudebelu, "Checking Internet masquerading using multiple
CAPTCHA challenge-response systems," in The 2nd International Conference on Adaptive
Science & Technology (ICAST 2009), 2009, pp. 244-249.
M. Shirali-Shahreza and S. Shirali-Shahreza, "Question-based CAPTCHA," in International
Conference on Computational Intelligence and Multimedia Applications (ICCIMA 2007),
, pp. 54-58.
A. Rusu, R. Docimo, and A. Rusu, "Leveraging cognitive factors in securing WWW with
CAPTCHA," in The 2010 USENIX conference on Web application development
(WebApps'10), 2010.
R. Lin, S. Y. Huang, G. B. Bell, and Y. K. Lee, "A new CAPTCHA interface design for
mobile devices," in Australasian User Interface Conference, Australasian Computer Science
Week (ACSW2011), 2011.
M. H. Shirali-Shahreza and M. Shirali-Shahreza, "Localized CAPTCHA for illiterate
people," in International Conference on Intelligent and Advanced Systems (ICIAS), 2007, pp.
-679.
J. Holman, J. Lazar, J. H. Feng, and J. D'Arcy, "Developing usable CAPTCHAs for blind
users," in 9th international ACM SIGACCESS conference on Computers and accessibility,
, pp. 245-246.
M. Shirali-Shahreza and S. Shirali-Shahreza, "CAPTCHA for blind people," in 7th IEEE
International Symposium on Signal Processing and Information Technology (ISSPIT 2007),
, pp. 995-998.
S. Shirali-Shahreza and M. Shirali-Shahreza, "A new human interactive proofs system for
deaf persons," in 5th International Conference on Information Technology: New Generations
(ITNG 2008), 2008, pp. 807-810.
J. Yan and A. S. El Ahmad, "A Low-cost Attack on a Microsoft CAPTCHA," in 15th ACM
Conference on Computer and Communications Security (CCS 08), 2008, pp. 543-554.
K. Chellapilla, Simard, P., "Using machine learning to break visual human interaction proofs
(HIPs)," Advances in Neural Information Processing Systems, vol. 17, pp. 265-272, 2004.
J. Yan and A. S. El Ahmad, "Breaking visual CAPTCHAs with naive pattern recognition
algorithms," in The 23rd Annual Computer Security Applications Conference (ACSAC 07),
, pp. 279-291.
J. Yan and A. S. El Ahmad, "CAPTCHA Security A Case Study," Ieee Security and Privacy,
vol. 7, pp. 22-28, Jul-Aug 2009.
P. Golle, "Machine learning attacks against the Asirra CAPTCHA," in The 15th ACM
conference on Computer and communications security (CCS 2008), 2008, pp. 535-542.
C. W. Lin, Y. H. Chen, and L. G. Chen, "Bio-Inspired Unified Model of Visual Segmentation
System for Captcha Character Recognition," 2008 Ieee Workshop on Signal Processing
Systems: Sips 2008, Proceedings, pp. 158-163, 2008.
G. Mori and J. Malik, "Recognizing objects in adversarial clutter: Breaking a visual
CAPTCHA," in IEEE Conference on Computer Vision and Pattern Recognition, 2003, pp.
-141.
G. Moy, N. Jones, C. Harkless, and R. Potter, "Distortion estimation techniques in solving
visual CAPTCHAs," in IEEE Conference on Computer Vision and Pattern Recognition,
, pp. 23-28.
J. Wilkins. (2009, Oct. 8, 2012). Strong CAPTCHA guidelines. Available:
http://bitland.net/captcha.pdf
R. Beede, "Analysis of reCAPTCHA effectiveness," University of Colorado at BoulderDec.
B. B. Zhu, J. Yan, Q. Li, C. Yang, J. Liu, N. Xu, et al., "Attacks and design of image
recognition CAPTCHAs," in The 17th ACM conference on Computer and communications
security (CCS '10), 2010, pp. 187-200.
E. Bursztein. (2012, October 8). How we broke the NuCaptcha video scheme and what we
propose to fix it. Available: http://elie.im/blog/security/how-we-broke-the-nucaptcha-videoscheme-
and-what-we-propose-to-fix-it/#.T-tDK7VfGIA
V. Nguyen, Y. W. Chow, and W. Susilo, "Breaking an Animated CAPTCHA Scheme," in
The 10th International Conference on Applied Cryptography and Network Security
(ACNS'12), 2012, pp. 12-29.
J. Yan and A. S. El Ahmad, "CAPTCHA Robustness: A Security Engineering Perspective,"
Computer, vol. 44, pp. 54-60, Feb 2011.
L. Kang and J. Xiang, "CAPTCHA phishing: a practical attack on human interaction
proofing," in The 5th International Conference on Information security and cryptology
(Inscrypt), 2011, pp. 411-425.
(October 8, 2012). Adobe Flash. Available: http://get.adobe.com/flashplayer/
K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski, "Building segmentation based
human-friendly human interaction proofs (HIPs)," presented at the The 2nd International
Workshop on Human Interactive Proofs (HIP 2005), 2005.
K. Chellapilla, K. Larson, P. Simard, and M. Czerwinski, "Computers beat humans at single
character recognition in reading based human interaction proofs (HIPs)," in The 2nd
Conference on Email and Anti-Spam, 2005.
J. Yan and A. S. El Ahmad, "Usability of CAPTCHAs or usability issues in CAPTCHA
design," in The 4th symposium on Usable privacy and security (SOUPS), 2008, pp. 44-52.
J. Bentley and C. Mallows, "CAPTCHA challenge strings: Problems and improvements," in
The 18th SPIE-IS&T Electronic Imaging, Document Recognition and Retrieval, 2006.
L. Von Ahn and L. Dabbish, "Labeling images with a computer game," in The SIGCHI
Conference on Human Factors in Computing Systems (CHI '04), 2004, pp. 319-326.
E. Bursztein and S. Bethard, "Decaptcha: breaking 75% of eBay audio CAPTCHAs," in The
rd USENIX conference on Offensive technologies (WOOT'09), 2009.
S. K. Chaudhari, A. R. Deshpande, S. B. Bendale, and R. V. Kotian, "3D drag-n-drop
CAPTCHA enhanced security through CAPTCHA," in The International Conference and
Workshop on Emerging Trends in Technology, Mumbai, Maharashtra, India, 2011, pp. 598-
J. P. Bigham and A. C. Cavender, "Evaluating existing audio CAPTCHAs and an interface
optimized for non-visual use," in The SIGCHI Conference on Human Factors in Computing
Systems (CHI '09), 2009, pp. 1829-1838.
B. R. Chiswick and P. W. Miller, "Linguistic distance: A quantitative measure of the distance
between English and other languages," Journal of Multilingual and Multicultural
Development, vol. 26, pp. 1-11, 2005.
M. Tariq Banday and N. Shah, "A Study of CAPTCHAs for Securing Web Services," IJSDIA
International Journal of Secure Digital Information Age, vol. 1, pp. 66-74, December 2009.
M. Shirali-Shahreza and S. Shirali-Shahreza, "Motion CAPTCHA," in Conference on Human
System Interactions, 2008, pp. 1042-1044.
A. Kolupaev and J. Ogijenko, "CAPTCHAs: Humans vs. bots," IEEE Security & Privacy,
vol. 6, pp. 68-70, 2008.
