ABSTRACT
Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas.
- AliAPI. https://data.aliyun.com/ai'spm=a2c0j.9189909.810797.13. 64c6547a3VOVGD#/image-tagGoogle Scholar
- AliOCR. https://www.aliyun.com/product/cdi/Google Scholar
- BaiduOCR. https://cloud.baidu.com/product/ocr.htmlGoogle Scholar
- Face++OCR. https://www.faceplusplus.com.cn/general-text-recognition/Google Scholar
- GoogleAPI. https://cloud.google.com/vision/Google Scholar
- GoogleOCR. https://cloud.google.com/vision/docs/ocrGoogle Scholar
- MicrosoftAPI. https://azure.microsoft.com/zh-cn/services/cognitive-services/ computer-vision/Google Scholar
- ReLu. https://en.wikipedia.org/wiki/Rectifier_(neural_networks)Google Scholar
- Report. https://cloud.tencent.com/product/yy#featuresV2Google Scholar
- Report. http://www.geetest.com/case.htmlGoogle Scholar
- Report. https://www.google.com/recaptcha/intro/Google Scholar
- Report. http://kqga.qfc.cn/news/d-1786.htmlGoogle Scholar
- Report. https://baike.baidu.com/item/12306%E9%AA%8C%E8%AF%81%E7%A0% 81/16963369?fr=aladdinGoogle Scholar
- Sigmoid. https://en.wikipedia.org/wiki/Sigmoid_functionGoogle Scholar
- Softmax. https://en.wikipedia.org/wiki/Softmax_functionGoogle Scholar
- Tanh. https://brenocon.com/blog/2013/10/ tanh-is-a-rescaled-logistic-sigmoid-function/Google Scholar
- TencentAPI. https://youtu.qq.com/#/img-content-identityGoogle Scholar
- TencentOCR. https://ai.qq.com/product/ocr.shtml#identifyGoogle Scholar
- Ahmad Salah El Ahmad. 2012. The robustness of text CAPTCHAs. Ph.D. Dissertation. University of Newcastle Upon Tyne, UK. http://ethos.bl.uk/OrderDetails. do?uin=uk.bl.ethos.576635Google Scholar
- Jeffrey P. Bigham and Anna Cavender. 2009. Evaluating existing audio CAPTCHAs and an interface optimized for non-visual use. Google ScholarDigital Library
- Elie Bursztein, Jonathan Aigrain, Angelika Moscicki, and John C. Mitchell. 2014. The End is Nigh: Generic Solving of Text-based CAPTCHAs. In 8th USENIX Workshop on Offensive Technologies, WOOT '14, San Diego, CA, USA, August 19. Google ScholarDigital Library
- Elie Bursztein and Steven Bethard. 2009. Decaptcha: breaking 75% of eBay audio CAPTCHAs. In Proceedings of the 3rd USENIX conference on Offensive technologies. Google ScholarDigital Library
- Elie Bursztein, Matthieu Martin, and John C. Mitchell. Text-based CAPTCHA strengths and weaknesses. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17--21, 2011. Google ScholarDigital Library
- Kumar Chellapilla and Patrice Y. Simard. 2004. Using Machine Learning to Break Visual Human Interaction Proofs (HIPs). In Advances in Neural Information Processing Systems 17 {Neural Information Processing Systems, NIPS 2004, December 13--18, 2004, Vancouver, British Columbia, Canada}. Google ScholarDigital Library
- Monica Chew and J Doug Tygar. 2004. Image recognition captchas. In International Conference on Information Security. Springer, 268--279.Google ScholarCross Ref
- Jeremy Elson, John R. Douceur, Jon Howell, and Jared Saul. Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28--31, 2007. Google ScholarDigital Library
- Haichang Gao, Jeff Yan, Fang Cao, Zhengya Zhang, Lei Lei, Mengyun Tang, Ping Zhang, Xin Zhou, Xuqin Wang, and Jiawei Li. A Simple Generic Attack on Text Captchas. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21--24, 2016.Google Scholar
- Ross Girshick, Jeff Donahue, Trevor Darrell, and Jitendra Malik. 2014. Rich feature hierarchies for accurate object detection and semantic segmentation. In Proceedings of the IEEE conference on computer vision and pattern recognition. Google ScholarDigital Library
- Ross B. Girshick. Fast R-CNN. In 2015 IEEE International Conference on Computer Vision, ICCV 2015, Santiago, Chile, December 7--13, 2015. Google ScholarDigital Library
- Philippe Golle. Machine learning attacks against the Asirra CAPTCHA. In Proceedings of the 2008 ACMConference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27--31, 2008. Google ScholarDigital Library
- Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Delving Deep into Rectifiers: Surpassing Human-Level Performance on ImageNet Classification. In 2015 IEEE International Conference on Computer Vision, ICCV 2015, Santiago, Chile, December 7--13, 2015. Google ScholarDigital Library
- Thomas Hupperich, Katharina Krombholz, and Thorsten Holz. 2016. Sensor Captchas: On the Usability of Instrumenting Hardware Sensors to Prove Liveliness. In Trust and Trustworthy Computing - 9th International Conference, TRUST 2016, Vienna, Austria, August 29--30, 2016, Proceedings.Google Scholar
- Kuo-Feng Hwang, Cian-Cih Huang, and Geeng-Neng You. A Spelling Based CAPTCHA System by Using Click. In 2012 International Symposium on Biometrics and Security Technologies, ISBAST 2012, Taipei, Taiwan, March 26--29, 2012. Google ScholarDigital Library
- Jonghak Kim, Joonhyuk Yang, and Kwangyun Wohn. 2014. AgeCAPTCHA: an Image-based CAPTCHA that Annotates Images of Human Faces with their Age Groups. TIIS (2014).Google Scholar
- Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems. Google ScholarDigital Library
- Yann LeCun, Bernhard E. Boser, John S. Denker, Donnie Henderson, Richard E. Howard, Wayne E. Hubbard, and Lawrence D. Jackel. 1989. Backpropagation Applied to Handwritten Zip Code Recognition. Neural Computation 1, 4 (1989), 541--551. Google ScholarDigital Library
- Wei Liu, Dragomir Anguelov, Dumitru Erhan, Christian Szegedy, Scott E. Reed, Cheng-Yang Fu, and Alexander C. Berg. SSD: Single Shot MultiBox Detector. In Computer Vision - ECCV 2016 - 14th European Conference, Amsterdam, The Netherlands, October 11--14, 2016, Proceedings, Part I.Google Scholar
- David Lorenzi, Jaideep Vaidya, Shamik Sural, and Vijayalakshmi Atluri. Web Services Based Attacks against Image CAPTCHAs. In Information Systems Security - 9th International Conference, ICISS 2013, Kolkata, India, December 16--20, 2013. Proceedings. Google ScholarDigital Library
- David Lorenzi, Jaideep Vaidya, Emre Uzun, Shamik Sural, and Vijayalakshmi Atluri. Attacking Image Based CAPTCHAs Using Image Recognition Techniques. In Information Systems Security, 8th International Conference, ICISS 2012, Guwahati, India, December 15--19, 2012. Proceedings.Google Scholar
- Deapesh Misra and Kris Gaj. Face Recognition CAPTCHAs. In Advanced International Conference on Telecommunications and International Conference on Internet and Web Applications and Services (AICT/ICIW 2006), 19--25 February 2006, Guadeloupe, French Caribbean. Google ScholarDigital Library
- Greg Mori and Jitendra Malik. 2003. Recognizing Objects in Adversarial Clutter: Breaking a Visual CAPTCHA. In 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR 2003), 16--22 June 2003, Madison, WI, USA. 134--144. Google ScholarDigital Library
- Lei Pan and Yan Zhou. 2013. Developing an Empirical Algorithm for Protecting Text-Based CAPTCHAs against Segmentation Attacks. In 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013 / 11th IEEE International Symposium on Parallel and Distributed Processing with Applications, ISPA-13 / 12th IEEE International Conference on Ubiquitous Computing and Communications, IUCC-2013, Melbourne, Australia, July 16--18, 2013. 636--643. Google ScholarDigital Library
- Joseph Redmon, Santosh Divvala, Ross Girshick, and Ali Farhadi. 2016. You only look once: Unified, real-time object detection. In Proceedings of the IEEE conference on computer vision and pattern recognition. 779--788.Google ScholarCross Ref
- Suphannee Sivakorn, Iasonas Polakis, and Angelos D Keromytis. 2016. I am robot:(deep) learning to break semantic image captchas. In Security and Privacy (EuroS&P), IEEE European Symposium on. 388--403.Google Scholar
- B Srinivas, G Kalyan Raju, and Koduganti Venkata Rao. 2011. Advanced CAPTCHA technique using Hand Gesture based on SIFT. Assistant Professor, Computer Science and Engineering Department, MVGR College of Engineering (2011).Google Scholar
- Erkam Uzun, Simon Pak Ho Chung, Irfan Essa, and Wenke Lee. rtCaptcha: A Real-Time CAPTCHA Based Liveness Detection System. (????).Google Scholar
- Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford. CAPTCHA: Using Hard AI Problems for Security. In Advances in Cryptology - EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4--8, 2003, Proceedings. Google ScholarDigital Library
- Luis Von Ahn, Manuel Blum, Nicholas J Hopper, and John Langford. 2003. CAPTCHA: Using hard AI problems for security. In International Conference on the Theory and Applications of Cryptographic Techniques. 294--311. Google ScholarDigital Library
- Heqing Ya, Haonan Sun, Jeffrey Helt, and Tai Sing Lee. 2017. Learning to Associate Words and Images Using a Large-scale Graph. arXiv preprint arXiv:1705.07768 (2017).Google Scholar
- Jeff Yan and Ahmad Salah El Ahmad. 2008. A low-cost attack on a Microsoft captcha. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27--31, 2008. Google ScholarDigital Library
Index Terms
- Towards Evaluating the Security of Real-World Deployed Image CAPTCHAs
Recommendations
Design and evaluation of 3D CAPTCHAs
AbstractMost current 2D CAPTCHAs are vulnerable to automated character recognition attacks and the latest attacks can successfully break the 2D text CAPTCHAs at a rate of more than 90%. In this work, we present two novel 3D CAPTCHAs, which are ...
Web Services Based Attacks against Image CAPTCHAs
ICISS 2013: Proceedings of the 9th International Conference on Information Systems Security - Volume 8303CAPTCHAs provide protection from automated robot attacks against online forms and services. Image recognition CAPTCHAs, which require users to perform an image recognition task, have been proposed as a more robust alternative to character recognition ...
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future?
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityExploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web ...
Comments