Design and evaluation of 3D CAPTCHAs

Abstract

Most current 2D CAPTCHAs are vulnerable to automated character recognition attacks and the latest attacks can successfully break the 2D text CAPTCHAs at a rate of more than 90%. In this work, we present two novel 3D CAPTCHAs, which are more secure than current 2D text CAPTCHAs against automated character recognition attacks. Our approach is to display CAPTCHA characters on 3D objects. We exploit the difficulty that machines have in rotating 3D objects to find the correct viewpoint and in further recognizing characters in 3D, while we believe humans can easily perform these tasks. Using an offline automated character recognition attack, we find that 82% of new text reCAPTCHAs are broken, while approximately 60% of our 3D CAPTCHAs are broken and only if characters are focused on and zoomed in from a direct viewpoint. When CAPTCHAs are presented in slightly different views, the attack success rate is rapidly diminished to 0%. In addition, we use commercial Deep Neural Networks-based text and object detection classifiers to attack our systems, and demonstrate that our approach is extremely difficult to break with these classifiers, even if CAPTCHA characters are presented in direct, 2D view. With emulated relay attacks, fewer than 16% of our CAPTCHAs are accurately solved by human solvers, while more than 90% of current 2D text-based CAPTCHAs are solved. Also, we performed an IRB-approved user study to evaluate the usability of our approach. Participants agreed that our approach was usable in spite of the extra time required for 3D model rotation.