Home Big Data Mining and Analytics Article
PDF (5 MB)
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript
Open Access

Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services

College of Computer Science and Technology, Zhejiang University, Hangzhou 310058, China.
Department of Computer Science and Engineering, Lehigh University, Bethlehem, PA 19019, USA.
School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA 30302, USA.
Show Author Information

Abstract

Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.

Keywords

image captchascaptcha securitycaptcha-solving serviceunderground market

References

[1]
L. Von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using hard AI problems for security, in Proc. 2003 Int. Conf. the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 2003.
Crossref
[2]
M. Chew and J. D. Tygar, Image recognition CAPTCHAs, in Proc. 7th Int. Conf. Information Security, Palo Alto, CA, USA, 2004.
Crossref
[3]
K. F. Hwang, C. C. Huang, and G. N. You, A spelling based CAPTCHA system by using click, in Proc. 2012 Int. Symp. Biometrics and Security Technologies, Taipei, China, 2012.
Crossref
[4]
N. J. Hopper and M. Blum, Secure human identification protocols, in Proc. 7th Int. Conf. the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 2001.
Crossref
[5]
S. Sivakorn, I. Polakis, and A. D. Keromytis, I am robot: (Deep) learning to break semantic image CAPTCHAs, in Proc. 2016 IEEE European Symp. Security and Privacy, Saarbrucken, Germany, 2016.
Crossref
[6]
H. Q. Ya, H. N. Sun, J. Helt, and T. S. Lee, Learning to associate words and images using a large-scale graph, arXiv preprint arXiv: 1705.07768, 2017.
Google Scholar
[7]
G. Mori and J. Malik, Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA, in Proc. 2003 IEEE Computer Society Conf. Computer Vision and Pattern Recognition, Madison, WI, USA, 2003.
[8]
K. Chellapilla and P. Y. Simard, Using machine learning to break visual Human Interaction Proofs (HIPs), in Proc. 17th Int. Conf. Neural Information Processing Systems, Vancouver, Canada, 2004.
Crossref
[9]
E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, A low-cost attack on a Microsoft CAPTCHA, in Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2008.
[10]
E. Bursztein, M. Martin, and J. C. Mitchell, Text-based CAPTCHA strengths and weaknesses, in Proc. 18th ACM Conf. Computer and Communications Security, Chicago, IL, USA, 2011.
Crossref
[11]
E. Bursztein, J. Aigrain, A. Moscicki, and J. C. Mitchell, The end is nigh: Generic solving of text-based CAPTCHAs, in Proc. 8th USENIX Conf. Offensive Technologies, San Diego, CA, USA, 2004.
[12]
H. C. Gao, J. Yan, F. Cao, Z. Y. Zhang, L. Lei, M. Y. Tang, P. Zhang, X. Zhou, X. Q. Wang, and J. W. Li, A simple generic attack on text captchas, in Proc. 23rd Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2016.
Crossref
[13]
P. Golle, Machine learning attacks against the asirra CAPTCHA, in Proc. 15th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2008.
Crossref
[14]
D. Lorenzi, J. Vaidya, E. Uzun, S. Sural, and V. Atluri, Attacking image based CAPTCHAs using image recognition techniques, in Proc. 8th Int. Conf. Information Systems Security, Guwahati, India, 2012.
Crossref
[15]
A. Krizhevsky, I. Sutskever, and G. E. Hinton, ImageNet classification with deep convolutional neural networks, in Proc. 25th Int. Conf. Neural Information Processing Systems, Lake Tahoe, NV, USA, 2012.
[16]
R. Girshick, J. Donahue, T. Darrell, and J. Malik, Rich feature hierarchies for accurate object detection and semantic segmentation, in Proc. 2014 IEEE Conf. Computer Vision and Pattern Recognition, Columbus, OH, USA, 2014.
Crossref
[17]
S. Q. Ren, K. M. He, R. Girshick, and J. Sun, Faster R-CNN: Towards real-time object detection with region proposal networks, in Proc. 28th Int. Conf. Neural Information Processing Systems, Montreal, Canada, 2015.
[18]
J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, You only look once: Unified, real-time object detection, in Proc. 2016 IEEE Conf. Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 2016.
Crossref
[19]
W. Liu, D. Anguelov, D. Erhan, C. Szegedy, S. Reed, C. Y. Fu, and A. C. Berg, SSD: Single shot multibox detector, in Proc. 14th European Conf. Computer Vision, Amsterdam, Netherlands, 2016.
Crossref
[20]
K. M. He, X. Y. Zhang, S. Q. Ren, and J. Sun, Delving deep into rectifiers: Surpassing human-level performance on ImageNet classification, in Proc. 2015 IEEE Int. Conf. Computer Vision, Santiago, Chile, 2015.
Crossref
[21]
J. Elson, J. R. Douceur, J. Howell, and J. Saul, Asirra: A CAPTCHA that exploits interest-aligned manual image categorization, in Proc. 14th ACM Conf. Computer and Communications Security, Alexandria, VA, USA, 2007.
[22]
D. Misra and K. Gaj, Face recognition CAPTCHAs, in Proc.  2006 Advanced Int.  Conf.  Telecommunications and Int. Conf. Internet and Web Applications and Services, Guadelope, French, 2006.
Crossref
[23]
J. Kim, J. Yang, and K. Wohn, AgeCAPTCHA: An image-based CAPTCHA that annotates images of human faces with their age groups, KSII Trans. Internet Inf. Syst., vol. 8, no. 3, pp. 1071-1092, 2014.
Crossref Google Scholar
[24]
E. Uzun, S. P. H. Chung, I. Essa, and W. Lee, rtCaptcha: A real-time CAPTCHA based liveness detection system, in Proc. 25th Annu. Network and Distributed System Security Symp., San Diego, CA, USA, 2018.
Crossref
[25]
D. Lorenzi, J. Vaidya, S. Sural, and V. Atluri, Web services based attacks against image CAPTCHAs, in Proc. 9th Int. Conf. Information Systems Security, Kolkata, India, 2013.
Crossref
[26]
Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. E. Hubbard, and L. D. Jackel, Backpropagation applied to handwritten zip code recognition, Neural Comput., vol. 1, no. 4, pp. 541-551, 1989.
Crossref Google Scholar
[27]
R. Girshick, Fast R-CNN, in Proc. 2015 IEEE Int. Conf. Computer Vision, Santiago, Chile, 2015.
Crossref
[28]
M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage, Re: CAPTCHAs: Understanding CAPTCHA-solving services in an economic context, in Proc. 19th USENIX Conf. Security, Washington, DC, USA, 2010.
[29]
Y. Shin, M. Gupta, and S. A. Myers, The nuts and bolts of a forum spam automator, in Proc. 4th USENIX Conf. Large-Scale Exploits and Emergent Threats, Boston, MA, USA, 2011.
[30]
J. Deng, W. Dong, R. Socher, L. J. Li, K. Li, and F. F. Li, ImageNet: A large-scale hierarchical image database, in Proc. 2009 IEEE Conf. Computer Vision and Pattern Recognition, Miami, FL, USA, 2009.
Crossref
[31]
I. J. Goodfellow, J. Shlens, and C. Szegedy, Explaining and harnessing adversarial examples, arXiv preprint arXiv: 1412.6572, 2014.
Google Scholar
[32]
X. J. Liao, S. Alrwais, K. Yuan, L. Y. Xing, X. F. Wang, S. Hao, and R. Beyah, Lurking malice in the cloud: Understanding and detecting cloud repository as a malicious service, in Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 2016.
Crossref
[33]
I. Polakis, P. Ilia, F. Maggi, M. Lancini, G. Kontaxis, S. Zanero, S. Ioannidis, and A. D. Keromytis, Faces in the distorting mirror: Revisiting photo-based social authentication, in Proc. 2014 ACM SIGSAC Conf. Computer and Communications Security, Scottsdale, AZ, USA, 2014.
Crossref
Big Data Mining and Analytics
Volume 2 Issue 2,
June 2019
Pages 118-144
DOI: 10.26599/BDMA.2019.9020001
Cite this article:
Weng H, Zhao B, Ji S, et al. Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services. Big Data Mining and Analytics, 2019, 2(2): 118-144. https://doi.org/10.26599/BDMA.2019.9020001
Metrics & Citations  
Article History
Copyright
Return