8/3/2019 78313028-captcha (1)

1/28

HUMAN OR SCRIPT?

8/3/2019 78313028-captcha (1)

2/28

` What Is Captcha ?

` Why Captcha ?

` Approaches To Captcha

` Applications Of Captchas` Circumventing Captchas

` Which Captcha To Use?

` Deploying Captcha

8/3/2019 78313028-captcha (1)

3/28

` CAPTCHA :Completely Automated PublicTuring test to tell Computers and Humans Apart

` The term "CAPTCHA" was coined in 2000 by Luisvon Ahn, Manuel Blum, Nicholas J. Hopper, andJohn Langford (all of Carnegie Mellon University)

` Protects websites against bots by generating andgrading tests that humans can pass but currentcomputer programs cannot.

8/3/2019 78313028-captcha (1)

4/28

Web Deficiencies

Threats To WebWeb Spam

Motives Of Different Companies

8/3/2019 78313028-captcha (1)

5/28

` HTTP & SSL do not distinguish between human &

machine users and guarantee that whether clientsoftware or user is benign.

` Malicious bots can be anonymous and distributed.

8/3/2019 78313028-captcha (1)

6/28

` Content Theft-- stealing paid data

` Copyright Infringement-- scraping content

from one site to display on another, out ofcontext

` Unwanted spidering-- search engines may

ignore robots.txt ornofollow tags

8/3/2019 78313028-captcha (1)

7/28

` Web comments, discussions, guest books, Wikis,many public forms are open to spam messages.

` Bots collect email addresses on Web.

8/3/2019 78313028-captcha (1)

8/28

` Google-- more links, higher ranking

` Profit-- ads for real product/service

` Phishing-- bait and switch for identity theft,financial theft.

8/3/2019 78313028-captcha (1)

9/28

` Text (ASCII/Unicode)

` Image

` Speech

`Animation

` 3-D

` Combinations of all above

8/3/2019 78313028-captcha (1)

10/28

` Change text to look-alike: SPAM is $P4M. Foolssimplest text matching.

`Accented or non-English chars: Spm

` Chars to words: uce@ftc.gov --> uce at ftc dotgov

` URL/HTML entities: COPY becomes0 or %430P%59

` Better than nothing, but easy to crack

8/3/2019 78313028-captcha (1)

11/28

` Presents one-time-password as an imagehumans can read, but not scripts

` If image is too simple, OCR can crack; too

complex, human cannot read.

` To beat OCR, vary position, warp, noise,background, colors, overlap, randomness, font,

angles, language, methods used` Show filtered photos as well as words

` Can deny accessibility to vision-impaired

8/3/2019 78313028-captcha (1)

12/28

Early CAPTCHAs such as these, generated bythe EZ-Gimpy program, were used on Yahoo!.

However, technology was developed to readthis type of CAPTCHA

A modern CAPTCHA, rather than attempting tocreate a distorted background and high levels ofwarping on the text, might focus on makingsegmentation difficult by adding an angled line

Another way to make segmentation difficult is tocrowd symbols together, as in Yahoo's currentCAPTCHA format

8/3/2019 78313028-captcha (1)

13/28

8/3/2019 78313028-captcha (1)

14/28

` Usually spells out one-time-password insynthesized or recorded voices.

` Voice recognition cracks simple case.

` Applied audio filters risk human misunderstanding.

` Used with image CAPTCHA for increasedaccessibility.

` If both use same OTP, easier to crack.

8/3/2019 78313028-captcha (1)

15/28

SPEECH

CAPTCHA

8/3/2019 78313028-captcha (1)

16/28

8/3/2019 78313028-captcha (1)

17/28

` Renders OTP in 3D space to image

` Reputedly the most difficult to crack

` Server needs good graphics card to be practical(rare)

` Can be combined with other methods

` Not yet common (tEABAG_3D)

` Might see more in future

8/3/2019 78313028-captcha (1)

18/28

8/3/2019 78313028-captcha (1)

19/28

` Prevents Comment Spam in Blogs

` Protecting Website Registration

` Online Polls

` Preventing Dictionary Attacks

` Search Engine Bots

` Worms and Spam

8/3/2019 78313028-captcha (1)

20/28

` Insecure implementation

` Computer character recognition

` Human solvers

8/3/2019 78313028-captcha (1)

21/28

` Design flaws in a system implementation

` Bypassed without using OCR (using session ID)

` Small fixed pool of CAPTCHA images

8/3/2019 78313028-captcha (1)

22/28

A number of research projects have attempted(often successfully) to beat visual CAPTCHAs bycreating programs that contain the following

functionality:` Pre-processing: Removal of background clutter

and noise.

` Segmentation: Splitting the image into regions

which each contain a single character.` Classification: Identifying the character in each

region.

8/3/2019 78313028-captcha (1)

23/28

Involves relaying the puzzles to a group of humanoperators who can solve CAPTCHAs.

8/3/2019 78313028-captcha (1)

24/28

` Even simplest CAPTCHA can beat vast majority ofscripts

` Even best CAPTCHA can be cracked bydedicated, sophisticated coders

` Weigh strength vs. cost (compute cycles,bandwidth, dollars)

8/3/2019 78313028-captcha (1)

25/28

` Install existing software (pro or free)

` Use remote CAPTCHA service

` Develop own CAPTCHA or customize open

source scripts.

8/3/2019 78313028-captcha (1)

26/28

` Protect e-mail systems from worms, spam, othermalware-- if sender not in address book ormessage is suspect, challenge sender withCAPTCHA.

` Prevent dictionary attacks in any password system(Pinkas & Sander)

` Used For Protecting Ebooks. eg reCAPTCHA.

8/3/2019 78313028-captcha (1)

27/28

8/3/2019 78313028-captcha (1)

28/28

THANK YOU