Evaluating the security of CAPTCHAs utilized on Bangladeshi websites

Abstract

A number of attacks such as spamming, email-address harvesting, dictionary attacks, brute-force attacks, credential surfing attacks, DOS attacks and others can be executed relatively easily if the target system cannot differentiate between requests coming from a real human user and those generated artificially by bots. In order to distinguish between human users and bots, the Completely Automatic Public Turing Test (CAPTCHA) has been used for almost 20 years. Nevertheless, CAPTCHA can be easily broken if it lacks security features. Consequently, the motivation for utilizing CAPTCHA is undermined. This article proposes a framework that can evaluate the security aspects of text CAPTCHAs. The effectiveness of the framework is validated by using a generalized attack method consisting of pre-processing and utilizing an Optical Character Recognition (OCR) library such as Tesseract OCR. We have carried out a systematic study of existing CAPTCHAs utilized on Bangladeshi websites. We have studied 238 Bangladeshi websites and found that only 44 websites used a CAPTCHA mechanism. Then, we have assessed the security levels of the selected text CAPTCHAs by the proposed framework. As per our analysis, we have found that there are 29 different CAPTCHA schemes being adopted on Bangladeshi websites and among them 23 are vulnerable to automated attacks. In order to address these issues, we also present a number of recommendations.