Security Analysis and Related Usability of Motion-Based CAPTCHAs: Decoding Codewords in Motion
We explore the robustness and usability of moving-image object recognition (video) captchas, designing and implementing automated attacks based on computer vision techniques. Our approach is suitable for broad classes of moving-image captchas involving rigid objects. We first present an attack that defeats instances of such a captcha (NuCaptcha) representing the state-of-the-art, involving dynamic text strings called codewords. We then consider design modifications to mitigate the attacks (e.g., overlapping characters more closely, randomly changing the font of individual characters, or even randomly varying the number of characters in the codeword). We implement the modified captchas and test if designs modified for greater robustness maintain usability. Our lab-based studies show that the modified captchas fail to offer viable usability, even when the captcha strength is reduced below acceptable targets. Worse yet, our GPU-based implementation shows that our automated approach can decode these captchas faster than humans can, and we can do so at a relatively low cost of roughly 50 cents per 1,000 captchas solved based on Amazon EC2 rates circa 2012. To further demonstrate the challenges in designing usable captchas, we also implement and test another variant of moving text strings using the known emerging images concept. This variant is resilient to our attacks and also offers similar usability to commercially available approaches. We explain why fundamental elements of the emerging images idea resist our current attack where others fail.
|Keywords||CAPTCHAs, computer vision, security, usability|
|Journal||IEEE Transactions on Dependable and Secure Computing|
Xu, Y. (Yi), Reynaga, G. (Gerardo), Chiasson, S, Frahm, J.-M. (Jan-Michael), Monrose, F. (Fabian), & Van Oorschot, P. (2014). Security Analysis and Related Usability of Motion-Based CAPTCHAs: Decoding Codewords in Motion. IEEE Transactions on Dependable and Secure Computing, 11(5), 480–493. doi:10.1109/TDSC.2013.52