skip to main content
10.1145/1654988.1654994acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Captcha-free throttling

Published: 09 November 2009 Publication History

Abstract

We argue that the CAPTCHA in its current incarnation may be near the end of its useful life, and propose an alternative throttling mechanism to control access to web resources. We analyze our proposed solution against a collection of realistic adversaries and conclude that it is a viable approach.
As a result of potential independent value, we describe heuristic tools to identify cookie theft, machine cloning attacks, and DNS poisoning attacks.

References

[1]
Seti@home. setiathome.berkeley.edu.
[2]
[email protected]. The Cross Site Scripting (XSS) FAQ. www.cgisecurity.com/articles/xss-faq.shtml#theft.
[3]
T. Anderson. How CAPTCHA was foiled: Are you a man or a mouse?, The Guardian, August 28, 2008.
[4]
Anonymous. captcha bypass CAPTCHA ocr verification image bypass CAPTCHA decoder CAPTCHA reader, Accessed April 13, '09. www.lafdc.com/captcha/.
[5]
H. S. Baird and K. Popat. Human interactive proofs and document image analysis. In DAS '02: Proceedings of the 5th International Workshop on Document Analysis Systems V, pages 507--518, London, UK, 2002. Springer-Verlag.
[6]
H. S. Baird and T. Riopka. Scattertype: a reading CAPTCHA resistant to segmentation attack. In Proc., IS&T/SPIE Document Recognition and Retrieval Conf, pages 16--20, 2005.
[7]
J. Camenisch, S. Hohenberger, M. Kohlweiss, A. Lysyanskaya, and M. Meyerovich. How to win the clonewars: efficient periodic n-times anonymous authentication. In ACM Conference on Computer and Communications Security, pages 201--210. ACM, 2006.
[8]
M. Chew and H. S. Baird. BaffleText: a human interactive proof. In In Proc., 10th IS&T/SPIE Document Recognition & Retrieval Conf, pages 305--316, 2003.
[9]
R. Chow, P. Golle, M. Jakobsson, L. Wang, and X. Wang. Making CAPTCHAs clickable. In HotMobile '08: Proceedings of the 9th workshop on Mobile computing systems and applications, pages 91--94, New York, NY, USA, 2008. ACM.
[10]
A. L. Coates, H. S. Baird, and R. J. Fateman. Pessimal print: A reverse turing test. In In Proceedings of the International Conference on Document Analysis and Recognition (ICDAR), pages 1154--1158, 2001.
[11]
N. Daswani, C. Mysen, V. Rao, S. Weis, K. Gharachorloo, S. Ghosemajumder, and the Google Ad Traffic Quality Team. Online advertising fraud; in Crimeware: understanding new attacks and defenses.
[12]
DeCaptcher.com, Accessed Nov 16, 2008. www.decaptcher.com/client/.
[13]
C. Doctorow. Solving and creating CAPTCHAs with free porn, Boing Boing, 2004.
[14]
J. Douceur and J. S. Donath. The Sybil attack. pages 251--260, 2002.
[15]
J. Elson, J. Douceur, J. Howell, and J. Saul. Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 366--374, New York, NY, USA, 2007. ACM.
[16]
M. Gandhi, M. Jakobsson, and J. Ratkiewicz. Badvertisements: Stealthy click-fraud with unwitting accessories. J. Digital Forensic Practice, 1(2):131--142, 2006.
[17]
P. Golle. Machine learning attacks against the Asirra CAPTCHA. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 535--542, New York, NY, USA, 2008. ACM.
[18]
R. Gossweiler, M. Kamvar, and S. Baluja. What's up CAPTCHA?: a CAPTCHA based on image orientation. In WWW '09: Proceedings of the 18th international conference on World wide web, pages 841--850, New York, NY, USA, 2009. ACM.
[19]
J. Holman, J. Lazar, J. H. Feng, and J. D'Arcy. Developing usable CAPTCHAs for blind users. In Assets '07: Proceedings of the 9th international ACM SIGACCESS conference on Computers and accessibility, pages 245--246, New York, NY, USA, 2007. ACM.
[20]
N. Immorlica, K. Jain, M. Mahdian, and K. Talwar. Click fraud resistant methods for learning click-through rates. In WINE, pages 34--45, 2005.
[21]
M. Jakobsson and S. Myers. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, 2006.
[22]
M. Jakobsson and Z. Ramzan. Crimeware: understanding new attacks and defenses. Addison-Wesley Professional, 2008.
[23]
M. Jakobsson and S. Stamm. Invasive browser sniffing and countermeasures. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 523--532, New York, NY, USA, 2006. ACM.
[24]
A. Juels, M. Jakobsson, and T. N. Jagatic. Cache cookies for browser authentication (extended abstract). In SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 301--305, Washington, DC, USA, 2006. IEEE Computer Society.
[25]
G. Mori and J. Malik. Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. pages 134--141, 2003.
[26]
G. Moy, N. Jones, C. Harkless, and R. Potter. Distortion estimation techniques in solving visual captchas. Computer Vision and Pattern Recognition, IEEE Computer Society Conference on, 2:23--28, 2004.
[27]
M. Naor. Verification of a human in the loop or identification via the turing test, 1996. www.wisdom.weizmann.ac.il/ naor/PAPERS/human.pst.
[28]
A. Rusu and V. Govindaraju. Handwritten CAPTCHA: Using the difference in the abilities of humans and machines in reading handwritten words. In IWFHR '04: Proceedings of the Ninth International Workshop on Frontiers in Handwriting Recognition, pages 226--231, Washington, DC, USA, 2004. IEEE Computer Society.
[29]
E. Shi, I. Stoica, D. Andersen, and A. Perrig. OverDoSe: A generic DDoS protection service using an overlay network. Technical Report CMU-CS-06-114, Carnegie Mellon University Computer Science Department, Feb. 2006.
[30]
M. Shirali-Shahreza and S. Shirali-Shahreza. Online collage CAPTCHA. In Image Analysis for Multimedia Interactive Services, 2007. WIAMIS '07. Eighth International Workshop on, page 58, 2007.
[31]
L. von Ahn, M. Blum, N. J. Hopper, and J. Langford. CAPTCHA: Using hard ai problems for security. In In Proceedings of Eurocrypt, pages 294--311. Springer-Verlag, 2003.
[32]
L. von Ahn, B. Maurer, C. Mcmillen, D. Abraham, and M. Blum. reCAPTCHA: Human-based character recognition via web security measures. Science, August 2008.
[33]
O. Warner. The history of CAPTCHAs. www2.parc.com/istl/projects/captcha/history.htm.
[34]
J. Yan and A. S. El Ahmad. Usability of CAPTCHAs or usability issues in CAPTCHA design. In SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security, pages 44--52, New York, NY, USA, 2008. ACM.

Cited By

View all
  • (2016)I am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs2016 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2016.37(388-403)Online publication date: Mar-2016
  • (2010)Breaking e-banking CAPTCHAsProceedings of the 26th Annual Computer Security Applications Conference10.1145/1920261.1920288(171-180)Online publication date: 6-Dec-2010
  • (2010)STE3D-CAP: Stereoscopic 3D CAPTCHACryptology and Network Security10.1007/978-3-642-17619-7_17(221-240)Online publication date: 2010

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
AISec '09: Proceedings of the 2nd ACM workshop on Security and artificial intelligence
November 2009
72 pages
ISBN:9781605587813
DOI:10.1145/1654988
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2009

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. access
  2. captcha
  3. cloning
  4. cookie theft
  5. dns poisoning
  6. malware
  7. scripting
  8. throttle
  9. usability

Qualifiers

  • Research-article

Conference

CCS '09
Sponsor:

Acceptance Rates

Overall Acceptance Rate 94 of 231 submissions, 41%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2016)I am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs2016 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2016.37(388-403)Online publication date: Mar-2016
  • (2010)Breaking e-banking CAPTCHAsProceedings of the 26th Annual Computer Security Applications Conference10.1145/1920261.1920288(171-180)Online publication date: 6-Dec-2010
  • (2010)STE3D-CAP: Stereoscopic 3D CAPTCHACryptology and Network Security10.1007/978-3-642-17619-7_17(221-240)Online publication date: 2010

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media