Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services
Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Tsinghua University Press
2019-06-01
|
| Series: | Big Data Mining and Analytics |
| Subjects: | |
| Online Access: | https://www.sciopen.com/article/10.26599/BDMA.2019.9020001 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832572942827913216 |
|---|---|
| author | Haiqin Weng Binbin Zhao Shouling Ji Jianhai Chen Ting Wang Qinming He Raheem Beyah |
| author_facet | Haiqin Weng Binbin Zhao Shouling Ji Jianhai Chen Ting Wang Qinming He Raheem Beyah |
| author_sort | Haiqin Weng |
| collection | DOAJ |
| description | Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving. |
| format | Article |
| id | doaj-art-4c937b07117b47dba1a02674d57ddd13 |
| institution | Kabale University |
| issn | 2096-0654 |
| language | English |
| publishDate | 2019-06-01 |
| publisher | Tsinghua University Press |
| record_format | Article |
| series | Big Data Mining and Analytics |
| spelling | doaj-art-4c937b07117b47dba1a02674d57ddd132025-02-02T05:59:19ZengTsinghua University PressBig Data Mining and Analytics2096-06542019-06-012211814410.26599/BDMA.2019.9020001Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving ServicesHaiqin Weng0Binbin Zhao1Shouling Ji2Jianhai Chen3Ting Wang4Qinming He5Raheem Beyah6<institution content-type="dept">College of Computer Science and Technology</institution>, <institution>Zhejiang University</institution>, <city>Hangzhou</city> <postal-code>310058</postal-code>, <country>China</country>.<institution content-type="dept">College of Computer Science and Technology</institution>, <institution>Zhejiang University</institution>, <city>Hangzhou</city> <postal-code>310058</postal-code>, <country>China</country>.<institution content-type="dept">College of Computer Science and Technology</institution>, <institution>Zhejiang University</institution>, <city>Hangzhou</city> <postal-code>310058</postal-code>, <country>China</country>.<institution content-type="dept">College of Computer Science and Technology</institution>, <institution>Zhejiang University</institution>, <city>Hangzhou</city> <postal-code>310058</postal-code>, <country>China</country>.<institution content-type="dept">Department of Computer Science and Engineering</institution>, <institution>Lehigh University</institution>, <city>Bethlehem</city>, <state>PA</state> <postal-code>19019</postal-code>, <country>USA</country>.<institution content-type="dept">College of Computer Science and Technology</institution>, <institution>Zhejiang University</institution>, <city>Hangzhou</city> <postal-code>310058</postal-code>, <country>China</country>.<institution content-type="dept">School of Electrical and Computer Engineering</institution>, <institution>Georgia Institute of Technology</institution>, <city>Atlanta</city>, <state>GA</state> <postal-code>30302</postal-code>, <country>USA</country>.Image captchas have recently become very popular and are widely deployed across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision have gradually diminished the security of image captchas and made them vulnerable to attack. In this paper, we first classify the currently popular image captchas into three categories: selection-based captchas, slide-based captchas, and click-based captchas. Second, we propose simple yet powerful attack frameworks against each of these categories of image captchas. Third, we systematically evaluate our attack frameworks against 10 popular real-world image captchas, including captchas from tencent.com, google.com, and 12306.cn. Fourth, we compare our attacks against nine online image recognition services and against human labors from eight underground captcha-solving services. Our evaluation results show that (1) each of the popular image captchas that we study is vulnerable to our attacks; (2) our attacks yield the highest captcha-breaking success rate compared with state-of-the-art methods in almost all scenarios; and (3) our attacks achieve almost as high a success rate as human labor while being much faster. Based on our evaluation, we identify some design flaws in these popular schemes, along with some best practices and design principles for more secure captchas. We also examine the underground market for captcha-solving services, identifying 152 such services. We then seek to measure this underground market with data from these services. Our findings shed light on understanding the scale, impact, and commercial landscape of the underground market for captcha solving.https://www.sciopen.com/article/10.26599/BDMA.2019.9020001image captchascaptcha securitycaptcha-solving serviceunderground market |
| spellingShingle | Haiqin Weng Binbin Zhao Shouling Ji Jianhai Chen Ting Wang Qinming He Raheem Beyah Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services Big Data Mining and Analytics image captchas captcha security captcha-solving service underground market |
| title | Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services |
| title_full | Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services |
| title_fullStr | Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services |
| title_full_unstemmed | Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services |
| title_short | Towards Understanding the Security of Modern Image Captchas and Underground Captcha-Solving Services |
| title_sort | towards understanding the security of modern image captchas and underground captcha solving services |
| topic | image captchas captcha security captcha-solving service underground market |
| url | https://www.sciopen.com/article/10.26599/BDMA.2019.9020001 |
| work_keys_str_mv | AT haiqinweng towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices AT binbinzhao towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices AT shoulingji towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices AT jianhaichen towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices AT tingwang towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices AT qinminghe towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices AT raheembeyah towardsunderstandingthesecurityofmodernimagecaptchasandundergroundcaptchasolvingservices |