Abstract
Simple, universally applicable strategies can help any captcha–protected system resist automated attacks and can improve the ability of administrators to detect attacks. The strategies discussed here cause an exponential increase in the difficulty faced by automated attackers, while only increasing the inconvenience for human users in an approximately linear manner. These strategies are characterised using a new metric, the ‘Captcha Improvement Ratio’. The paper concludes that presenting multiple captcha systems together in random order may provide quantitative and qualitative advantages over many typical present–day captcha systems.
Highlights
Forms of attackWhether a captcha is based on pictures, text, sound, or puzzle–solving, certain similarities can be seen in terms of how captchas are attacked by malicious users
This paper proposes that the Captcha Improvement Ratio (CIR) of a given captcha–strengthening strategy is said to be a ratio equal to the approximate relative increase in average–case work performed by a computer in order to pass the modified captcha, divided by the approximate relative increase in average–case work performed by a human in order to pass the modified captcha
This paper has outlined methods and analysis showing that any captcha system may be improved by presenting multiple instances of different types of captcha challenges
Summary
Whether a captcha is based on pictures, text, sound, or puzzle–solving, certain similarities can be seen in terms of how captchas are attacked by malicious users. Brute force attacks If there is a somewhat limited range of possible answers — e.g., a numerical 4–digit captcha would have 10,000 possible answers — it is possible for a distributed group of automated agents to attack the captcha by exhaustively trying answers at random or according to a selected sequence. This differs from the ‘trivial guessing attack’, in that it relies upon having access to a large number of attacking agents — i.e., a ‘botnet’ (Websense Security Labs, 2008b; 2009) — rather than relying upon having access to a poorly designed captcha. The ‘Question–Based captcha’ (Shirali– Shahreza and Shirali–Shahreza, 2007b) presents a mathematical problem, which can be broken by an attacker who uses OCR to recognise the numerical digits mentioned in the puzzle, combined with a random guess of one of the few possible ways in which the numbers may be combined arithmetically
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
