DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.52
Yi Xu , University of North Carolina at Chapel Hill, Chapel Hill
Gerardo Reynaga , Carleton University, Ottawa
Sonia Chiasson , Carleton University, Ottawa
Jan-Michael Frahm , University of North Carolina at Chapel Hill, Chapel Hill
Fabian Monrose , University of North Carolina at Chapel Hill, Chapel Hill
Paul Van Oorschot , Carleton University, Ottawa
We explore the robustness and usability of moving-image object recognition (video) CAPTCHAs, designing and implementing automated attacks based on computer vision techniques. Our approach is suitable for broad classes of moving-image CAPTCHAs involving rigid objects. We first present an attack that defeats instances of a state-of-the-art approach involving dynamic text strings called codewords. We then consider design modifications to mitigate the attacks, and test if the designs modified for greater robustness maintain usability. Our lab-based studies show that the modified CAPTCHAs fail to offer viable usability, even when the CAPTCHA strength is reduced below acceptable targets. Worse yet, our GPU-based implementation shows that our automated approach can decode these captchas faster than humans can, and we can do so at a relatively low cost of roughly 50 cents per 1000 captchas solved based on Amazon EC2 rates circa 2012. To further demonstrate the challenges in designing usable captchas, we also implement and test another variant of moving text strings using the known "emerging images" concept. This variant is resilient to our attacks and also offers similar usability to commercially available approaches. We explain why fundamental elements of the emerging images idea resist our current attack where others fail.
Human factors, Authentication, Access controls
Y. Xu, G. Reynaga, S. Chiasson, J. Frahm, F. Monrose and P. Van Oorschot, "Security Analysis and Related Usability of Motion-based CAPTCHAs: Decoding Codewords in Motion," in IEEE Transactions on Dependable and Secure Computing.