ICS

CAPTCHAs

December 08, 2008

CAPTCHA the Flag

The CAPTCHA ("Completely Automated Public Turing Test To Tell Computers and Humans Apart") became quite popular in this decade, coinciding with the rise of email spam and script dictionary attacks. A lot of research has used traditional CAPTCHAs (including some by this author) for its intended goal or in making them easier to defeat, whether by OCR technology or social engineering means. While CAPTCHA research has generally focused on the image-based version, a paper to be presented later this week at the Neural Information Processing Systems Conference will demonstrate that even audio recognition CAPTCHAs are relatively easy to crack.

Those who are familar with CAPTCHAs are likely familiar with their weaknesses:

  • CAPTCHAs must be "hard" for a machine to solve, but "easy enough" for a human to solve, which prevents CAPTCHA designers from getting carried away (though sometimes they err on the side of caution).
  • CAPTCHAs require a large number of assumptions. For visual CAPTCHAs, that the human can see fairly clearly, recognizes the character set, is not color-blind, and so on. For audio CAPTCHAs, that the human can hear clearly, shares the same language, has software to play the audio file, among others. Pattern-matching may rely on the human sharing the same culture as the designer (i.e., "cow" could relate to "chicken" because both are farm animals, or to a "cat" because they are four-legged mammals) as well as recognizing what all images represent.
  • Most of all, CAPTCHAs are annoying. Really annoying.

The CAPTCHA's biggest problem is its success. Because they worked for a while, they are as popular as requiring a username/password. Many user-generated content sites have them. However, CAPTCHAs have a very low substantive vs. perceived security "quotient". CAPTCHAs are perceived as very secure since they are so hard for humans to solve without due diligence. Yet they are that hard because artificial intelligence techniques have rendered previous CAPTCHAs obsolete. CAPTCHAs are solved by machines all the time, one way or another. Undoubtedly, the time has come for a new CAPTCHA whose perceived security is matched substantively. The construction of such a "CAPTCHA 2.0" is left as an exercise for the reader.

(Images are monochrome CAPTCHAs that read "ICS". The first uses warping, blurring and linear obfuscation. The second utilizes warping with low character segmentation and noise obfuscation).

Erhan J. Kartaltepe,
erhan.kartaltepe-at-utsa.edu

Posted at 08:13 AM in CAPTCHAs, Security, Web/Tech | | Comments (1) | TrackBack (0)