CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham.
CAPTCHAs represent a security mechanism that is often seen as a necessary hassle by Web services providers — necessary because they seek to prevent Web resource abuse, yet a hassle because the representation of a CAPTCHA may not be easy to solve. Moreover, successful attacks have been developed against many existing CAPTCHA schemes.
Nitesh Saxena, Ph.D., associate professor of the Department of Computer and Information Sciences and information assurance pillar co-leader of the Center for Information Assurance and Joint Forensics Research, led a team that investigated the security and usability of the next generation of CAPTCHAs that are based on simple computer games.
The UAB researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a “ship parking” DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available “dock” location.
The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. Also, its gamelike nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs.
Saxena’s team set out to investigate the effectiveness of DCG CAPTCHAs. They first created dynamic cognitive game prototypes to represent a common type of DCG CAPTCHA, then developed a novel, fully automated attack framework to break these DCG challenges. The attack is based on computer vision techniques and can automatically solve new game challenges based on knowledge present in a “dictionary” built from past challenges.
“In traditional CAPTCHA systems, computers may have a hard time figuring out what the distorted characters are — but trained humans can do it in seconds,” Saxena said. “The trouble is that criminals have figured out that they can pay people — a penny or less per time — to sit in front of a screen and “solve’ CAPTCHAs to let them do what they want. This is known as a CAPTCHA relay attack.”
“Most existing varieties of CAPTCHAs are completely vulnerable to such relay attacks,” said Manar Mohamed, a UAB doctoral student and another co-author on the papers. “Our research shows that DCG CAPTCHAs appear to be one of the ﬁrst CAPTCHA schemes that enable reliable detection of relay attacks.”
By the time the solver provides the location of moving objects in the given challenge frame, the objects themselves would have moved to other places, which makes the provided information inaccurate. The Web robot attempting the breach could not pass the challenge due either to time out or to generating too many incorrect drag-and-drop operations, which would be recognized by the backend server as different from normal human behavior. As a result, the DCG CAPTCHAs can provide protection against relay attack to some extent.
The usability studies of these DCG CAPTCHAs conducted by the team indicate a more user-friendly and playful design direction compared to the conventional text-based CAPTCHAs.
The research team is now working toward re-designing DCG CAPTCHAs so that automated or semi-automated attacks can be made difficult while still retaining their inherent usability advantages and tolerance to relay attacks. The team has been working with companies such as Are You a Human which have been offering the first commercial instantiation of DCG CAPTCHAs.