Towards evaluating the security of real-world deployed image captchas

Binbin Zhao, Haiqin Weng, Shouling Ji, Jianhai Chen, Ting Wang, Qinming He, Raheem Beyah

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas. We believe our findings shed light on facilitating the ecosystem of image captchas.

Original languageEnglish (US)
Title of host publicationAISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018
PublisherAssociation for Computing Machinery
Pages85-96
Number of pages12
ISBN (Electronic)9781450360043
DOIs
StatePublished - Oct 15 2018
Event11th ACM Workshop on Artificial Intelligence and Security, AISec 2018, co-located with CCS 2018 - Toronto, Canada
Duration: Oct 19 2018 → …

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference11th ACM Workshop on Artificial Intelligence and Security, AISec 2018, co-located with CCS 2018
CountryCanada
CityToronto
Period10/19/18 → …

Fingerprint

Personnel
Image recognition
Ecosystems
Computer vision
Internet
Defects

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Zhao, B., Weng, H., Ji, S., Chen, J., Wang, T., He, Q., & Beyah, R. (2018). Towards evaluating the security of real-world deployed image captchas. In AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018 (pp. 85-96). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3270101.3270104
Zhao, Binbin ; Weng, Haiqin ; Ji, Shouling ; Chen, Jianhai ; Wang, Ting ; He, Qinming ; Beyah, Raheem. / Towards evaluating the security of real-world deployed image captchas. AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018. Association for Computing Machinery, 2018. pp. 85-96 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{b29fcb1d66be48d398a056405ca43ce6,
title = "Towards evaluating the security of real-world deployed image captchas",
abstract = "Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas. We believe our findings shed light on facilitating the ecosystem of image captchas.",
author = "Binbin Zhao and Haiqin Weng and Shouling Ji and Jianhai Chen and Ting Wang and Qinming He and Raheem Beyah",
year = "2018",
month = "10",
day = "15",
doi = "10.1145/3270101.3270104",
language = "English (US)",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "85--96",
booktitle = "AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018",

}

Zhao, B, Weng, H, Ji, S, Chen, J, Wang, T, He, Q & Beyah, R 2018, Towards evaluating the security of real-world deployed image captchas. in AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 85-96, 11th ACM Workshop on Artificial Intelligence and Security, AISec 2018, co-located with CCS 2018, Toronto, Canada, 10/19/18. https://doi.org/10.1145/3270101.3270104

Towards evaluating the security of real-world deployed image captchas. / Zhao, Binbin; Weng, Haiqin; Ji, Shouling; Chen, Jianhai; Wang, Ting; He, Qinming; Beyah, Raheem.

AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018. Association for Computing Machinery, 2018. p. 85-96 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Towards evaluating the security of real-world deployed image captchas

AU - Zhao, Binbin

AU - Weng, Haiqin

AU - Ji, Shouling

AU - Chen, Jianhai

AU - Wang, Ting

AU - He, Qinming

AU - Beyah, Raheem

PY - 2018/10/15

Y1 - 2018/10/15

N2 - Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas. We believe our findings shed light on facilitating the ecosystem of image captchas.

AB - Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas. We believe our findings shed light on facilitating the ecosystem of image captchas.

UR - http://www.scopus.com/inward/record.url?scp=85056743337&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85056743337&partnerID=8YFLogxK

U2 - 10.1145/3270101.3270104

DO - 10.1145/3270101.3270104

M3 - Conference contribution

AN - SCOPUS:85056743337

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 85

EP - 96

BT - AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018

PB - Association for Computing Machinery

ER -

Zhao B, Weng H, Ji S, Chen J, Wang T, He Q et al. Towards evaluating the security of real-world deployed image captchas. In AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018. Association for Computing Machinery. 2018. p. 85-96. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/3270101.3270104