Journal Home > Volume 2 , issue 2

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.


menu
Abstract
Full text
Outline
About this article

Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services

Show Author's information Haiqin WengBinbin ZhaoShouling Ji( )Jianhai ChenTing WangQinming HeRaheem Beyah
College of Computer Science and Technology, Zhejiang University, Hangzhou 310058, China.
Department of Computer Science and Engineering, Lehigh University, Bethlehem, PA 19019, USA.
School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA 30302, USA.

Abstract

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.

Keywords:

image captchas, captcha security, captcha-solving service, underground market
Received: 21 September 2018 Accepted: 18 January 2019 Published: 14 May 2019 Issue date: June 2019
References(33)
[1]
L. Von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using hard AI problems for security, in Proc. 2003 Int. Conf. the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 2003.
[2]
M. Chew and J. D. Tygar, Image recognition CAPTCHAs, in Proc. 7th Int. Conf. Information Security, Palo Alto, CA, USA, 2004.
[3]
K. F. Hwang, C. C. Huang, and G. N. You, A spelling based CAPTCHA system by using click, in Proc. 2012 Int. Symp. Biometrics and Security Technologies, Taipei, China, 2012.
[4]
N. J. Hopper and M. Blum, Secure human identification protocols, in Proc. 7th Int. Conf. the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 2001.
[5]
S. Sivakorn, I. Polakis, and A. D. Keromytis, I am robot: (Deep) learning to break semantic image CAPTCHAs, in Proc. 2016 IEEE European Symp. Security and Privacy, Saarbrucken, Germany, 2016.
[6]
H. Q. Ya, H. N. Sun, J. Helt, and T. S. Lee, Learning to associate words and images using a large-scale graph, arXiv preprint arXiv: 1705.07768, 2017.
[7]
G. Mori and J. Malik, Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA, in Proc. 2003 IEEE Computer Society Conf. Computer Vision and Pattern Recognition, Madison, WI, USA, 2003.
[8]
K. Chellapilla and P. Y. Simard, Using machine learning to break visual Human Interaction Proofs (HIPs), in Proc. 17th Int. Conf. Neural Information Processing Systems, Vancouver, Canada, 2004.
[9]
E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, A low-cost attack on a Microsoft CAPTCHA, in Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2008.
[10]
E. Bursztein, M. Martin, and J. C. Mitchell, Text-based CAPTCHA strengths and weaknesses, in Proc. 18th ACM Conf. Computer and Communications Security, Chicago, IL, USA, 2011.
[11]
E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, The end is nigh: Generic solving of text-based CAPTCHAs, in Proc. 8th USENIX Conf. Offensive Technologies, San Diego, CA, USA, 2004.
[12]
H. C. Gao, J. Yan, F. Cao, Z. Y. Zhang, L. Lei, M. Y. Tang, P. Zhang, X. Zhou, X. Q. Wang, and J. W. Li, A simple generic attack on text captchas, in Proc. 23rd Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2016.
[13]
P. Golle, Machine learning attacks against the asirra CAPTCHA, in Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2008.
[14]
D. Lorenzi, J. Vaidya, E. Uzun, S. Sural, and V. Atluri, Attacking image based CAPTCHAs using image recognition techniques, in Proc. 8th Int. Conf. Information Systems Security, Guwahati, India, 2012.
[15]
A. Krizhevsky, I. Sutskever, and G. E. Hinton, ImageNet classification with deep convolutional neural networks, in Proc. 25th Int. Conf. Neural Information Processing Systems, Lake Tahoe, NV, USA, 2012.
[16]
R. Girshick, J. Donahue, T. Darrell, and J. Malik, Rich feature hierarchies for accurate object detection and semantic segmentation, in Proc. 2014 IEEE Conf. Computer Vision and Pattern Recognition, Columbus, OH, USA, 2014.
[17]
S. Q. Ren, K. M. He, R. Girshick, and J. Sun, Faster R-CNN: Towards real-time object detection with region proposal networks, in Proc. 28th Int. Conf. Neural Information Processing Systems, Montreal, Canada, 2015.
[18]
J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, You only look once: Unified, real-time object detection, in Proc. 2016 IEEE Conf. Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 2016.
[19]
W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C. Y. Fu, and A. C. Berg, SSD: Single shot multibox detector, in Proc. 14th European Conf. Computer Vision, Amsterdam, Netherlands, 2016.
[20]
K. M. He, X. Y. Zhang, S. Q. Ren, and J. Sun, Delving deep into rectifiers: Surpassing human-level performance on ImageNet classification, in Proc. 2015 IEEE Int. Conf. Computer Vision, Santiago, Chile, 2015.
[21]
J. Elson, J. R. Douceur, J. Howell, and J. Saul, Asirra: A CAPTCHA that exploits interest-aligned manual image categorization, in Proc. 14th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2007.
[22]
D. Misra and K. Gaj, Face recognition CAPTCHAs, in Proc.  2006 Advanced Int.  Conf.  Telecommunications and Int. Conf. Internet and Web Applications and Services, Guadelope, French, 2006.
[23]
J. Kim, J. Yang, and K. Wohn, AgeCAPTCHA: An image-based CAPTCHA that annotates images of human faces with their age groups, KSII Trans. Internet Inf. Syst., vol. 8, no. 3, pp. 1071-1092, 2014.
[24]
E. Uzun, S. P. H. Chung, I. Essa, and W. Lee, rtCaptcha: A real-time CAPTCHA based liveness detection system, in Proc. 25th Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2018.
[25]
D. Lorenzi, J. Vaidya, S. Sural, and V. Atluri, Web services based attacks against image CAPTCHAs, in Proc. 9th Int. Conf. Information Systems Security, Kolkata, India, 2013.
[26]
Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. E. Hubbard, and L. D. Jackel, Backpropagation applied to handwritten zip code recognition, Neural Comput., vol. 1, no. 4, pp. 541-551, 1989.
[27]
R. Girshick, Fast R-CNN, in Proc. 2015 IEEE Int. Conf. Computer Vision, Santiago, Chile, 2015.
[28]
M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage, Re: CAPTCHAs: Understanding CAPTCHA-solving services in an economic context, in Proc. 19th USENIX Conf. Security, Washington, DC, USA, 2010.
[29]
Y. Shin, M. Gupta, and S. A. Myers, The nuts and bolts of a forum spam automator, in Proc. 4th USENIX Conf. Large-Scale Exploits and Emergent Threats, Boston, MA, USA, 2011.
[30]
J. Deng, W. Dong, R. Socher, L. J. Li, K. Li, and F. F. Li, ImageNet: A large-scale hierarchical image database, in Proc. 2009 IEEE Conf. Computer Vision and Pattern Recognition, Miami, FL, USA, 2009.
[31]
I. J. Goodfellow, J. Shlens, and C. Szegedy, Explaining and harnessing adversarial examples, arXiv preprint arXiv: 1412.6572, 2014.
[32]
X. J. Liao, S. Alrwais, K. Yuan, L. Y. Xing, X. F. Wang, S. Hao, and R. Beyah, Lurking malice in the cloud: Understanding and detecting cloud repository as a malicious service, in Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 2016.
[33]
I. Polakis, P. Ilia, F. Maggi, M. Lancini, G. Kontaxis, S. Zanero, S. Ioannidis, and A. D. Keromytis, Faces in the distorting mirror: Revisiting photo-based social authentication, in Proc. 2014 ACM SIGSAC Conf. Computer and Communications Security, Scottsdale, AZ, USA, 2014.
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 21 September 2018
Accepted: 18 January 2019
Published: 14 May 2019
Issue date: June 2019

Copyright

© The author(s) 2019

Acknowledgements

This work was partly supported by the National Natural Science Foundation of China (Nos. 61772466 and U1836202), the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars (No. LR19F020003), the Provincial Key Research and Development Program of Zhejiang Province (No. 2017C01055), and the Alibaba-ZJU Joint Research Institute of Frontier Technologies.

Rights and permissions

Reprints and Permission requests may be sought directly from editorial office.

Return