CAPTCHA Security: A Case Study

Jeff Yan; Ahmad Salah El Ahmad

doi:10.1109/MSP.2009.84

Security&Privacy
2009
Issue No. 4 - July/August
Abstract - CAPTCHA Security: A Case Study

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Jeff Yan Articles by Ahmad Salah El Ahmad

CAPTCHA Security: A Case Study

July/August 2009 (vol. 7 no. 4)

pp. 22-28

	ASCII Text	x
	Jeff Yan, Ahmad Salah El Ahmad, "CAPTCHA Security: A Case Study," IEEE Security & Privacy, vol. 7, no. 4, pp. 22-28, July/August, 2009.

	BibTex	x
	@article{ 10.1109/MSP.2009.84, author = {Jeff Yan and Ahmad Salah El Ahmad}, title = {CAPTCHA Security: A Case Study}, journal ={IEEE Security & Privacy}, volume = {7}, number = {4}, issn = {1540-7993}, year = {2009}, pages = {22-28}, doi = {http://doi.ieeecomputersociety.org/10.1109/MSP.2009.84}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - MGZN JO - IEEE Security & Privacy TI - CAPTCHA Security: A Case Study IS - 4 SN - 1540-7993 SP22 EP28 EPD - 22-28 A1 - Jeff Yan, A1 - Ahmad Salah El Ahmad, PY - 2009 KW - CAPTCHA KW - security KW - pixel count KW - dictionary attacks VL - 7 JA - IEEE Security & Privacy ER -

Jeff Yan, Newcastle University, England

Ahmad Salah El Ahmad, Newcastle University, England

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2009.84

CAPTCHAs have been widely used across the Internet to defend against undesirable or malicious bot programs. In this article, the authors describe the security of a CAPTCHA reported in a recent peer-reviewed paper and deployed on the Internet. They show that although this scheme was effectively resistant to one of the best optical character recognition programs on the market, they could break it with a success rate of higher than 90 percent by using a simple but novel attack. In contrast to early work that relied on sophisticated computer vision or machine learning algorithms, they used simple pattern recognition algorithms that exploited fatal design errors. The main contribution of their work is that simply counting the pixels in a CAPTCHA's characters can be a very powerful attack.

1. L. Von Ahn, M. Blum, and J. Langford, "Telling Humans and Computers Apart Automatically," Comm. ACM, vol. 47, no. 2, 2004, pp. 56–60.
2. J. Yan and A.S. El Ahmad, "A Low-Cost Attack on a Microsoft CAPTCHA," Proc. 15th ACM Conf. Computer and Communications Security (CCS 08), ACM Press, 2008, pp. 543–554.
3. T. Converse, "CAPTCHA Generation as a Web Service," Proc. 2nd Int'l Workshop on Human Interactive Proofs (HIP 05), LNCS 3517, H.S. Baird, and D.P. Lopresti eds., Springer-Verlag, 2005, pp. 82–96.
4. J. Yan, and A.S. El Ahmad, "Breaking Visual CAPTCHAs with Naïve Pattern Recognition Algorithms," Proc. 23rd Annual Computer Security Applications Conf. (ACSAC 07), IEEE CS Press, 2007, pp. 279–291.
5. G. Mori and J. Malik, "Recognising Objects in Adversarial Clutter: Breaking a Visual CAPTCHA," Proc. IEEE Conf. Computer Vision and Pattern Recognition, IEEE CS Press, 2003, pp. 134–141.
6. G. Moy et al., "Distortion Estimation Techniques in Solving Visual CAPTCHAs," Proc. IEEE Conf. Computer Vision and Pattern Recognition, IEEE CS Press, 2004, pp. 23–28.
7. K. Chellapilla et al., "Designing Human Friendly Human Interaction Proofs," Proc. ACM Conf. Human Factors in Computing Systems (CHI 05), ACM Press, 2005, pp. 711–720.

Index Terms:

CAPTCHA, security, pixel count, dictionary attacks

Citation:

Jeff Yan, Ahmad Salah El Ahmad, "CAPTCHA Security: A Case Study," IEEE Security & Privacy, vol. 7, no. 4, pp. 22-28, July-Aug. 2009, doi:10.1109/MSP.2009.84

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.