Security and usability of cross-device captchas

Abstract

Captcha tests have been widely used to deter the misuse of services on the Internet. The most commonly used Captcha schemes are text-based. However, many Captcha schemes suffer from inadequacies in terms of aspects of security and usability, and indeed the balance between them. That is, many text-based Captcha schemes have been broken, which has motivated Captcha developers to use increasingly complex approaches to enhance the security of their new designs. However, this difficulty has reflected negatively on the usability of the Captcha scheme, as it was also hard for humans to solve the challenges. Consequently, such Captcha tests have become a key source of user frustration and abandonment of the use of the services that contain them. In addition, text-based Captcha tests, in their current forms, are unsuitable for use with touch screen devices. Although various alternatives have been recently proposed, they have either been broken, have not been widely deployed, or have not been well-examined in terms of security aspects. Accordingly, this thesis is mainly dedicated to balancing the security and usability of Captcha across different devices. For this, we first examined Captcha security from the perspective of security APIs, which to date has not been investigated. Interesting findings were obtained from this investigation, as well as a robust architecture being delineated for the design of a new Captcha Web service. An extensive analysis of Chinese Captcha schemes was also conducted to investigate the unproven hardness assumption with respect to the security provided by the recognition task of a large character set. Our findings showed that computers can recognize a distorted Chinese character perfectly well, which means that most existing Chinese Captcha schemes are insecure, and concluded also that the segmentation resistance principle is applicable to Chinese Captcha schemes, as in their Roman counterparts. This motivated us to build a new, more secure and usable Captcha technology that can be more practical and universally applicable across different devices. The new scheme is based on a new underlying AI-hard problem that greatly exacerbates the segmentation problem, resulting in improved security and robustness. Our usability studies show that the proposed scheme is easy for an average human to solve, as well as properly fitting the input and output capabilities of both ordinary computers and mobile devices. A RESTful Web service has been developed and deployed for the proposed approach.