Text-based captchas strengths and weakness Elie Bursztein, Matthieu - - PowerPoint PPT Presentation

text based captchas strengths and weakness
SMART_READER_LITE
LIVE PREVIEW

Text-based captchas strengths and weakness Elie Bursztein, Matthieu - - PowerPoint PPT Presentation

Aug 28, 2023 439 likes •1.56k views

Text-based captchas strengths and weakness Elie Bursztein, Matthieu Martin, John Mitchell Stanford University 1 About this Research Presenter: Elie Bursztein (http://elie.im) Conference: ACM CCS 2011 Slides and paper freely

slide-1
SLIDE 1

Text-based captchas strengths and weakness

Elie Bursztein, Matthieu Martin, John Mitchell Stanford University

1

slide-2
SLIDE 2

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

  • Presenter: Elie Bursztein (http://elie.im)
  • Conference: ACM CCS 2011
  • Slides and paper freely available from http://ly.tl/p22
  • Follow me for more security research
  • Twitter @elie
  • Google+
  • Facebook

About this Research

slide-3
SLIDE 3

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

slide-4
SLIDE 4

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

slide-5
SLIDE 5

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

slide-6
SLIDE 6

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

slide-7
SLIDE 7

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Funny Captchas

slide-8
SLIDE 8

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Funny Captchas

slide-9
SLIDE 9

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Funny Captchas

slide-10
SLIDE 10

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Funny Captchas

slide-11
SLIDE 11

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Funny Captchas

slide-12
SLIDE 12

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

The world most-popular captchas

  • [eBay]

[Baidu] [Captcha.net] [NIH] [Wikipedia] [Digg] [Blizzard] [Google] [Skyrock] [Recaptcha] [Authorize] [CNN] [Megaupload] [Reddit]

[Slashdot]

slide-13
SLIDE 13

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Focus of this talk

  • xw

How to break text captcha and design secure ones

slide-14
SLIDE 14

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Based on the break of 13 of the most popular schemes

slide-15
SLIDE 15

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

slide-16
SLIDE 16

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

  • How to break text-captchas ?
slide-17
SLIDE 17

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

  • How to break text-captchas ?
  • Evaluating anti-recognition techniques security
slide-18
SLIDE 18

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

  • How to break text-captchas ?
  • Evaluating anti-recognition techniques security
  • Attacking anti-segmentation techniques
slide-19
SLIDE 19

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

  • How to break text-captchas ?
  • Evaluating anti-recognition techniques security
  • Attacking anti-segmentation techniques
  • Real-world captcha security summary
slide-20
SLIDE 20

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

  • How to break text-captchas ?
  • Evaluating anti-recognition techniques security
  • Attacking anti-segmentation techniques
  • Real-world captcha security summary
  • Decaptcha (our breaker) demo
slide-21
SLIDE 21

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Outline

  • How to break text-captchas ?
  • Evaluating anti-recognition techniques security
  • Attacking anti-segmentation techniques
  • Real-world captcha security summary
  • Decaptcha (our breaker) demo
  • Lessons learned
slide-22
SLIDE 22

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking captcha

Divide and Conquer approach

slide-23
SLIDE 23

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Slashdot captcha

slide-24
SLIDE 24

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing

Slashdot captcha

slide-25
SLIDE 25

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing

Slashdot captcha

slide-26
SLIDE 26

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Slashdot captcha

slide-27
SLIDE 27

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Slashdot captcha

slide-28
SLIDE 28

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Post-segmentation

Slashdot captcha

slide-29
SLIDE 29

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Post-segmentation

Slashdot captcha

slide-30
SLIDE 30

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Post-segmentation Recognition

Slashdot captcha

slide-31
SLIDE 31

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Post-segmentation Recognition

f a e t e s t

Slashdot captcha

slide-32
SLIDE 32

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Post-segmentation Recognition

f a e t e s t

Post-recognition

Slashdot captcha

slide-33
SLIDE 33

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

How to break captchas ?

Preprocessing Segmentation

Post-segmentation Recognition

f a e t e s t f a s t e s t

Post-recognition

Slashdot captcha

slide-34
SLIDE 34

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

slide-35
SLIDE 35

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

slide-36
SLIDE 36

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

Blurring

slide-37
SLIDE 37

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

Blurring Distortion

slide-38
SLIDE 38

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

Blurring Distortion Rotation

slide-39
SLIDE 39

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

Blurring Distortion Rotation Fonts

slide-40
SLIDE 40

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition techniques

Blurring Distortion Rotation Fonts Charsets

slide-41
SLIDE 41

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

SVM learning rate

% success

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Trainning set size

10 20 50 100 200 500

09 AZ09 azAZ09 Distortion 3 fonts 5 fonts Angles

slide-42
SLIDE 42

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

KNN learning rate

% success

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Trainning set size

10 20 50 100 200 500

09 AZ09 azAZ09 Distortion 3 fonts 5 fonts Angles

slide-43
SLIDE 43

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-segmentation techniques

slide-44
SLIDE 44

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

slide-45
SLIDE 45

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Background confusion

slide-46
SLIDE 46

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Background confusion

slide-47
SLIDE 47

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Background confusion

slide-48
SLIDE 48

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Background confusion

slide-49
SLIDE 49

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Background confusion

slide-50
SLIDE 50

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Background confusion

slide-51
SLIDE 51

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Background confusion

slide-52
SLIDE 52

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Background confusion

slide-53
SLIDE 53

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Collapsing Background confusion

slide-54
SLIDE 54

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Collapsing Background confusion

slide-55
SLIDE 55

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Collapsing Background confusion

slide-56
SLIDE 56

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition taxonomy

Background Confusion Lines Collapsing Background confusion

slide-57
SLIDE 57

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking World of Warcraft

slide-58
SLIDE 58

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking World of Warcraft

slide-59
SLIDE 59

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking World of Warcraft

slide-60
SLIDE 60

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking World of Warcraft

slide-61
SLIDE 61

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking World of Warcraft

slide-62
SLIDE 62

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Captcha.net

slide-63
SLIDE 63

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Captcha.net

slide-64
SLIDE 64

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Captcha.net

slide-65
SLIDE 65

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Captcha.net

slide-66
SLIDE 66

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Captcha.net

slide-67
SLIDE 67

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Wikipedia

slide-68
SLIDE 68

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Wikipedia

slide-69
SLIDE 69

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Wikipedia

slide-70
SLIDE 70

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Wikipedia

slide-71
SLIDE 71

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Wikipedia

slide-72
SLIDE 72

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Digg

slide-73
SLIDE 73

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Digg

slide-74
SLIDE 74

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Digg

slide-75
SLIDE 75

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Digg

slide-76
SLIDE 76

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Digg

slide-77
SLIDE 77

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Slashdot

slide-78
SLIDE 78

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Slashdot

slide-79
SLIDE 79

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Slashdot

slide-80
SLIDE 80

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Slashdot

slide-81
SLIDE 81

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Slashdot

slide-82
SLIDE 82

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking eBay

slide-83
SLIDE 83

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking eBay

slide-84
SLIDE 84

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking eBay

slide-85
SLIDE 85

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking eBay

slide-86
SLIDE 86

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking eBay

slide-87
SLIDE 87

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Failing to break eBay

slide-88
SLIDE 88

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Failing to break eBay

slide-89
SLIDE 89

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Failing to break eBay

slide-90
SLIDE 90

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Failing to break eBay

slide-91
SLIDE 91

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Failing to break eBay

slide-92
SLIDE 92

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Baidu

slide-93
SLIDE 93

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Baidu

slide-94
SLIDE 94

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Baidu

slide-95
SLIDE 95

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Baidu

slide-96
SLIDE 96

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Baidu

slide-97
SLIDE 97

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Breaking Baidu

slide-98
SLIDE 98

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Real-world captchas security summary

slide-99
SLIDE 99

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Overall results

Segmentation rate Solving rate Authorize 84% 66% Baidu 98% 5% Blizzard 75% 70% Captcha.net 96% 73% CNN 50% 16% Digg 86% 20% eBay 95% 43% Google 0% 0% MegaUpload n/a 93% NIH 87% 72% Recaptcha 0% 0% Reddit 71% 42% Skyrock 30% 2% Slashdot 52% 35% Wikipedia 57% 25%

slide-100
SLIDE 100

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Learning rate for real schemes

% success

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Trainning set size

10 20 50 100 200 500

Authorize Baidu Blizzard Captcha.net CNN Digg eBay Megaupload NIH Reddit Skyrock Slashdot Wikipedia

slide-101
SLIDE 101

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Lessons learned

slide-102
SLIDE 102

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Building a breaker guidelines

  • Immediate visual feedback
  • Visual debugging
  • Algorithm independence
  • Exposing algorithm parameters
slide-103
SLIDE 103

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Decaptcha main interface

slide-104
SLIDE 104

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Demo time

slide-105
SLIDE 105

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Core principles

  • Randomize the length
  • Randomize the character size
  • Wave the captcha
slide-106
SLIDE 106

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-recognition principles

  • Use anti-recognition as a means of strengthening

captcha security

  • Don’t use a complex charset
  • Bad for human (see our research on this)
  • Useless for security
slide-107
SLIDE 107

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

The Robustness of Google Captchas

  • New heuristic to break

the easy version of Google / Recaptcha

  • Published online in May

2011

  • Use letters shape as a

side-channel

  • Conclusion reduce your

charset (not t or s...)

Figure 7. Detecting characters with a cross shape (the Figure 8. S Vertical Histogram. Identification o

” shape. Figure 13(b) shows a segmentation result. (a) (b)

The Robustness of Google CAPTCHAs

Ahmad S El Ahmad, Jeff Yan, Mohamad Tayara

slide-108
SLIDE 108

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Anti-segmentation principles

  • Use collapsing or lines
  • Be careful in the implementation
  • Create alternative schemes
slide-109
SLIDE 109

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Future

  • Generic breaker for weak captchas
  • Use higher-order features
  • to remove lines
  • Breaking collapsed captchas
slide-110
SLIDE 110

Elie Bursztein, Matthieu Martin, John C. Mitchell Text-based CAPTCHAS strenghts and weaknesses http://ly.tl/p22

Captcha research http://elie.im/tag/captcha Follow-me on Twitter @elie

Questions ?