This Article 
 Bibliographic References 
 Add to: 
CAPTCHA Security: A Case Study
July/August 2009 (vol. 7 no. 4)
pp. 22-28
Jeff Yan, Newcastle University, England
Ahmad Salah El Ahmad, Newcastle University, England
CAPTCHAs have been widely used across the Internet to defend against undesirable or malicious bot programs. In this article, the authors describe the security of a CAPTCHA reported in a recent peer-reviewed paper and deployed on the Internet. They show that although this scheme was effectively resistant to one of the best optical character recognition programs on the market, they could break it with a success rate of higher than 90 percent by using a simple but novel attack. In contrast to early work that relied on sophisticated computer vision or machine learning algorithms, they used simple pattern recognition algorithms that exploited fatal design errors. The main contribution of their work is that simply counting the pixels in a CAPTCHA's characters can be a very powerful attack.

1. L. Von Ahn, M. Blum, and J. Langford, "Telling Humans and Computers Apart Automatically," Comm. ACM, vol. 47, no. 2, 2004, pp. 56–60.
2. J. Yan and A.S. El Ahmad, "A Low-Cost Attack on a Microsoft CAPTCHA," Proc. 15th ACM Conf. Computer and Communications Security (CCS 08), ACM Press, 2008, pp. 543–554.
3. T. Converse, "CAPTCHA Generation as a Web Service," Proc. 2nd Int'l Workshop on Human Interactive Proofs (HIP 05), LNCS 3517, H.S. Baird, and D.P. Lopresti eds., Springer-Verlag, 2005, pp. 82–96.
4. J. Yan, and A.S. El Ahmad, "Breaking Visual CAPTCHAs with Naïve Pattern Recognition Algorithms," Proc. 23rd Annual Computer Security Applications Conf. (ACSAC 07), IEEE CS Press, 2007, pp. 279–291.
5. G. Mori and J. Malik, "Recognising Objects in Adversarial Clutter: Breaking a Visual CAPTCHA," Proc. IEEE Conf. Computer Vision and Pattern Recognition, IEEE CS Press, 2003, pp. 134–141.
6. G. Moy et al., "Distortion Estimation Techniques in Solving Visual CAPTCHAs," Proc. IEEE Conf. Computer Vision and Pattern Recognition, IEEE CS Press, 2004, pp. 23–28.
7. K. Chellapilla et al., "Designing Human Friendly Human Interaction Proofs," Proc. ACM Conf. Human Factors in Computing Systems (CHI 05), ACM Press, 2005, pp. 711–720.

Index Terms:
CAPTCHA, security, pixel count, dictionary attacks
Jeff Yan, Ahmad Salah El Ahmad, "CAPTCHA Security: A Case Study," IEEE Security & Privacy, vol. 7, no. 4, pp. 22-28, July-Aug. 2009, doi:10.1109/MSP.2009.84
Usage of this product signifies your acceptance of the Terms of Use.