The Robustness of CAPTCHAs: A Security Engineering Perspective

Dr Jeff Yan; Ahmad El Ahmad

The Robustness of CAPTCHAs: A Security Engineering Perspective Lookup NU author(s) Dr Jeff Yan Ahmad El Ahmad



Author(s)		Yan J, El Ahmad AS
Publication type		Report
Series Title		School of Computing Science Technical Report Series
Year		2009
Date		November 2009
Report Number		1180
Pages		17



Full text is available for this publication: Full text file 1




CAPTCHA (or Human Interaction Proof) is now almost a standard security technique for defending against undesirable or malicious bot programs on the Internet. However, the robustness of CAPTCHAs has so far been studied mainly just in communities such as computer vision, and document analysis and recognition. This paper motivates a security engineering perspective of the robustness of CAPTCHAs. Specifically, we show that a number of CAPTCHAs that appeared to be secure, including schemes widely deployed by Microsoft, Yahoo and Google and some other less well-known ones, could be broken with a high success rate with simple but novel attacks. In contrast to earlier work that relied on sophisticated computer vision algorithms, our attacks exploited critical design errors that we discovered in each scheme. The main lesson is that security engineering expertise and experience, in particular adversarial thinking skills, can make a unique and significant contribution to the improvement of the robustness of CAPTCHAs.



Institution		School of Computing Science, University of Newcastle upon Tyne
Place Published		Newcastle upon Tyne
URL		http://www.cs.ncl.ac.uk/publications/trs/papers/1180.pdf
Actions