AI Chat Paper
Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.
{{lang === 'zh_CN' ? '文章概述' : 'Summary'}}
{{lang === 'en_US' ? '中' : 'Eng'}}
Chat more with AI
PDF (5 MB)
Collect
Submit Manuscript AI Chat Paper
Show Outline
Outline
Show full outline
Hide outline
Outline
Show full outline
Hide outline
Open Access

Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services

College of Computer Science and Technology, Zhejiang University, Hangzhou 310058, China.
Department of Computer Science and Engineering, Lehigh University, Bethlehem, PA 19019, USA.
School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA 30302, USA.
Show Author Information

Abstract

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.

References

[1]
L. Von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using hard AI problems for security, in Proc. 2003 Int. Conf. the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 2003.
[2]
M. Chew and J. D. Tygar, Image recognition CAPTCHAs, in Proc. 7th Int. Conf. Information Security, Palo Alto, CA, USA, 2004.
[3]
K. F. Hwang, C. C. Huang, and G. N. You, A spelling based CAPTCHA system by using click, in Proc. 2012 Int. Symp. Biometrics and Security Technologies, Taipei, China, 2012.
[4]
N. J. Hopper and M. Blum, Secure human identification protocols, in Proc. 7th Int. Conf. the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 2001.
[5]
S. Sivakorn, I. Polakis, and A. D. Keromytis, I am robot: (Deep) learning to break semantic image CAPTCHAs, in Proc. 2016 IEEE European Symp. Security and Privacy, Saarbrucken, Germany, 2016.
[6]
H. Q. Ya, H. N. Sun, J. Helt, and T. S. Lee, Learning to associate words and images using a large-scale graph, arXiv preprint arXiv: 1705.07768, 2017.
[7]
G. Mori and J. Malik, Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA, in Proc. 2003 IEEE Computer Society Conf. Computer Vision and Pattern Recognition, Madison, WI, USA, 2003.
[8]
K. Chellapilla and P. Y. Simard, Using machine learning to break visual Human Interaction Proofs (HIPs), in Proc. 17th Int. Conf. Neural Information Processing Systems, Vancouver, Canada, 2004.
[9]
E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, A low-cost attack on a Microsoft CAPTCHA, in Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2008.
[10]
E. Bursztein, M. Martin, and J. C. Mitchell, Text-based CAPTCHA strengths and weaknesses, in Proc. 18th ACM Conf. Computer and Communications Security, Chicago, IL, USA, 2011.
[11]
E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, The end is nigh: Generic solving of text-based CAPTCHAs, in Proc. 8th USENIX Conf. Offensive Technologies, San Diego, CA, USA, 2004.
[12]
H. C. Gao, J. Yan, F. Cao, Z. Y. Zhang, L. Lei, M. Y. Tang, P. Zhang, X. Zhou, X. Q. Wang, and J. W. Li, A simple generic attack on text captchas, in Proc. 23rd Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2016.
[13]
P. Golle, Machine learning attacks against the asirra CAPTCHA, in Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2008.
[14]
D. Lorenzi, J. Vaidya, E. Uzun, S. Sural, and V. Atluri, Attacking image based CAPTCHAs using image recognition techniques, in Proc. 8th Int. Conf. Information Systems Security, Guwahati, India, 2012.
[15]
A. Krizhevsky, I. Sutskever, and G. E. Hinton, ImageNet classification with deep convolutional neural networks, in Proc. 25th Int. Conf. Neural Information Processing Systems, Lake Tahoe, NV, USA, 2012.
[16]
R. Girshick, J. Donahue, T. Darrell, and J. Malik, Rich feature hierarchies for accurate object detection and semantic segmentation, in Proc. 2014 IEEE Conf. Computer Vision and Pattern Recognition, Columbus, OH, USA, 2014.
[17]
S. Q. Ren, K. M. He, R. Girshick, and J. Sun, Faster R-CNN: Towards real-time object detection with region proposal networks, in Proc. 28th Int. Conf. Neural Information Processing Systems, Montreal, Canada, 2015.
[18]
J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, You only look once: Unified, real-time object detection, in Proc. 2016 IEEE Conf. Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 2016.
[19]
W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C. Y. Fu, and A. C. Berg, SSD: Single shot multibox detector, in Proc. 14th European Conf. Computer Vision, Amsterdam, Netherlands, 2016.
[20]
K. M. He, X. Y. Zhang, S. Q. Ren, and J. Sun, Delving deep into rectifiers: Surpassing human-level performance on ImageNet classification, in Proc. 2015 IEEE Int. Conf. Computer Vision, Santiago, Chile, 2015.
[21]
J. Elson, J. R. Douceur, J. Howell, and J. Saul, Asirra: A CAPTCHA that exploits interest-aligned manual image categorization, in Proc. 14th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2007.
[22]
D. Misra and K. Gaj, Face recognition CAPTCHAs, in Proc.  2006 Advanced Int.  Conf.  Telecommunications and Int. Conf. Internet and Web Applications and Services, Guadelope, French, 2006.
[23]
J. Kim, J. Yang, and K. Wohn, AgeCAPTCHA: An image-based CAPTCHA that annotates images of human faces with their age groups, KSII Trans. Internet Inf. Syst., vol. 8, no. 3, pp. 1071-1092, 2014.
[24]
E. Uzun, S. P. H. Chung, I. Essa, and W. Lee, rtCaptcha: A real-time CAPTCHA based liveness detection system, in Proc. 25th Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2018.
[25]
D. Lorenzi, J. Vaidya, S. Sural, and V. Atluri, Web services based attacks against image CAPTCHAs, in Proc. 9th Int. Conf. Information Systems Security, Kolkata, India, 2013.
[26]
Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. E. Hubbard, and L. D. Jackel, Backpropagation applied to handwritten zip code recognition, Neural Comput., vol. 1, no. 4, pp. 541-551, 1989.
[27]
R. Girshick, Fast R-CNN, in Proc. 2015 IEEE Int. Conf. Computer Vision, Santiago, Chile, 2015.
[28]
M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage, Re: CAPTCHAs: Understanding CAPTCHA-solving services in an economic context, in Proc. 19th USENIX Conf. Security, Washington, DC, USA, 2010.
[29]
Y. Shin, M. Gupta, and S. A. Myers, The nuts and bolts of a forum spam automator, in Proc. 4th USENIX Conf. Large-Scale Exploits and Emergent Threats, Boston, MA, USA, 2011.
[30]
J. Deng, W. Dong, R. Socher, L. J. Li, K. Li, and F. F. Li, ImageNet: A large-scale hierarchical image database, in Proc. 2009 IEEE Conf. Computer Vision and Pattern Recognition, Miami, FL, USA, 2009.
[31]
I. J. Goodfellow, J. Shlens, and C. Szegedy, Explaining and harnessing adversarial examples, arXiv preprint arXiv: 1412.6572, 2014.
[32]
X. J. Liao, S. Alrwais, K. Yuan, L. Y. Xing, X. F. Wang, S. Hao, and R. Beyah, Lurking malice in the cloud: Understanding and detecting cloud repository as a malicious service, in Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 2016.
[33]
I. Polakis, P. Ilia, F. Maggi, M. Lancini, G. Kontaxis, S. Zanero, S. Ioannidis, and A. D. Keromytis, Faces in the distorting mirror: Revisiting photo-based social authentication, in Proc. 2014 ACM SIGSAC Conf. Computer and Communications Security, Scottsdale, AZ, USA, 2014.
Big Data Mining and Analytics
Pages 118-144
Cite this article:
Weng H, Zhao B, Ji S, et al. Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services. Big Data Mining and Analytics, 2019, 2(2): 118-144. https://doi.org/10.26599/BDMA.2019.9020001

1086

Views

46

Downloads

24

Crossref

20

Web of Science

28

Scopus

0

CSCD

Altmetrics

Received: 21 September 2018
Accepted: 18 January 2019
Published: 14 May 2019
© The author(s) 2019
Return