Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis

Human Interactive Proofs (HIPs 1 or CAPTCHAs 2) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks

Human-artificial intelligence approaches for secure analysis in CAPTCHA codes

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has long been used to keep automated bots from misusing web services by leveraging human-artificial intelligence (HAI) interactions to distinguish whether the user is a human or a computer program. Various CAPTCHA schemes have been proposed over the years, principally to increase usability and security against emerging bots and hackers performing malicious operations. However, automated attacks have effectively cracked all common conventional schemes, and the majority of present CAPTCHA methods are also vulnerable to human-assisted relay attacks. Invisible reCAPTCHA and some approaches have not yet been cracked. However, with the introduction of fourth-generation bots accurately mimicking human behavior, a secure CAPTCHA would be hardly designed without additional special devices. Almost all cognitive-based CAPTCHAs with sensor support have not yet been compromised by automated attacks. However, they are still compromised to human-assisted relay attacks due to having a limited number of challenges and can be only solved using trusted devices. Obviously, cognitive-based CAPTCHA schemes have an advantage over other schemes in the race against security attacks. In this study, as a strong starting point for creating future secure and usable CAPTCHA schemes, we have offered an overview analysis of HAI between computer users and computers under the security aspects of open problems, difficulties, and opportunities of current CAPTCHA schemes.Web of Science20221art. no.

CAPTCHAS : debilidades y fortalezas

En el presente trabajo se tratará el tema de los CAPTCHAS, es decir, esas pruebas que suelen aparecer cuando queremos registrarnos en una página, en una encuesta, descargarnos algún tipo de fichero, etc. La funcionalidad de estos es diferenciar si se está tratando con un ser humano o con una máquina y, de esta forma, evitar que un robot sea capaz de realizar este tipo de acciones en la web. Las pruebas de los CAPTCHAS se basan en problemas abiertos de Inteligencia Artificial. Por lo tanto, estas pruebas también estarían relacionadas con la rama de la IA, lo que lleva a investigar y trabajar en su seguridad. Hoy en día, el tema de los CAPTCHAS como prueba de seguridad, no es 100% fiable, y es que, a pesar de los intentos de crear uno, que verdaderamente pruebe que se está tratando con un ser humano, y no con una máquina, no se ha llegado a encontrar dicho CAPTCHA “perfecto”. Existen numerosas herramientas que son capaces de saltar, en cuestión de minutos, las pruebas consideradas más actuales y desarrolladas. Cada vez los CAPTCHAS son más “complicados”, es decir, no son fáciles de ver y resolver por un usuario cualquiera, a golpe de vista. Esto se hace con el fin de que también sea más complicado de resolver por una máquina, pero la realidad, es que la mayoría de las veces, es ineficiente. En este estudio se verán los diferentes CAPTCHAS que existen hoy en día, con sus principales fortalezas y debilidades. Se verán desde ejemplos muy sencillos, como introducir una determinada cadena de caracteres, hasta los más complicados, tanto para usuarios como para máquinas, que consisten en resolver una fórmula matemática o un puzle. Además veremos algunas de las principales herramientas anti-CAPTCHAS, y se crearán y comentarán nuevas ideas de CAPTCHAS, que serían, a día de hoy, muy seguros con respecto a estas herramientas que intentan romperlos.In this paper, we address the idea of CAPTCHAS, they are tests that usually appear when we check into a page, in a survey, download any file, etc. The functionality of these test, is tell you whether you're dealing with a human or a machine, and then, you can prevent robot can perform those actions on the web. CAPTCHA tests are based on open problems in Artificial Intelligence. So, these tests are also linked to the branch of AI, and this leads to research and work on their safety. Today, CAPTCHAS, like security test, are not 100% reliable, despite attempts to create a CAPTCHA, which really proves that we are dealing with a human, not a machine, it has not been found, it has not been created the "perfect" one. There are many tools that are able to break in minutes the most current and developed test. Today, CAPTCHAS are more and more “complicated”, they are not easy to see and resolve any user, at a glance. This is because, developers want CAPTCHAS are difficult for bots too, but actually, this is often inefficient. In this study, it will be seen different CAPTCHAS that exist today, with its main strengths and weaknesses. It will be seen CAPTCHAS simple, like inserting a particular character string, and CAPTCHAS more complicated, for users and machines, which consist of solving a mathematical formula or a puzzle. Furthermore, it will be seen some anti-CAPTCHAS tools, and it will be create and comment new CAPTCHAS ideas. These ideas are, today, very safe with respect to anti-CAPTCHAS tools views.Ingeniería Informátic