Where do captchas fail: a study in common pitfalls in captcha design and how to avoid them
AuthorsHernández Castro, Carlos Javier
IdentifiersPermanent link (URI): http://hdl.handle.net/10017/42108
AffiliationUniversidad de Alcalá. Departamento de Teoría de la Señal y Comunicaciones; Universidad de Alcalá. Programa de Doctorado en Tecnologías de la Información y las Comunicaciones
Attribution-NonCommercial-NoDerivatives 4.0 Internacional
Today, much of the interaction between clients and providers has moved to the Internet. Some tricksters, con-artists and charlatans have also learned to benefit from this new situation. New improved cons, tricks and deceptions can be found on-line. Many of these deceptions are only profitable if they are done at a large scale. In order to achieve these large numbers of interactions, these attacks require automation. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) or HIPs (Human Interaction Proofs) are a relatively new security mechanism against automated attacks. They try to detect when the other end of the interaction is a human or a computer program (a bot). Since their origins, most of the proposals have been based on the seminal idea of using problems thought to be hard for AI/ML but easy for humans. As of today, all the studied CAPTCHA schemes have failed. CAPTCHA design is still in its initial conception. The stream of successful attacks on them are a hint that CAPTCHA are now as weak as the first cyphers. Yet cyphers were improved after successive successful cryptanalysis. We consider that similarly new security studies in novel, original CAPTCHAs will advance the corpus of knowledge in the field as well as the awareness about CAPTCHA security. This dissertation focuses on the design of CAPTCHAs. Its first goal is to understand whether there are currently CAPTCHAs that can be considered secure. To do so, it analyses new, original CAPTCHA proposals. The second goal of this dissertation is to find a way in which to assess a basic level of security for new CAPTCHA designs. To do so, it studies the results of previous security analysis trying to find common weaknesses. Based on them, it proposes a guideline or framework that specifies mechanisms to avoid some of these design pitfalls. This can be the starting point for a high-level methodology for the design of new CAPTCHAs. Ultimately, the goal of this research is to build a semi-automatic framework for the analysis of the security of new CAPTCHAs.