Better than CAPTCHA: Improved method to let computers know you are human Researchers are investigating game-based verification that may improve computer security and reduce user frustration compared to typical “type-what-you-see” CAPTCHA tools that use static images. CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. CAPTCHAs represent a security mechanism that is often seen as a necessary hassle by Web services providers -- necessary because they seek to prevent Web resource abuse, yet a hassle because the representation of a CAPTCHA may not be easy to solve. Moreover, successful attacks have been developed against many existing CAPTCHA schemes. A team of researchers investigated the security and usability of the next generation of CAPTCHAs that are based on simple computer games. The researchers focused on a broad form of game like CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a game like cognitive task interacting with a series of dynamic images. For example, in a ship parking DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available dock location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. Also, its game like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. The team set out to investigate the effectiveness of DCG CAPTCHAs. They first created dynamic cognitive game prototypes to represent a common type of DCG CAPTCHA, and then developed a novel, fully automated attack framework to break these DCG challenges. The attack is based on computer vision techniques and can automatically solve new game challenges based on knowledge present in a dictionary built from past challenges. In traditional CAPTCHA systems, computers may have a hard time figuring out what the distorted characters are -- but trained humans can do it in seconds. The trouble is that criminals have figured out that they can pay people -- a penny or less per time -- to sit in front of a screen and solve CAPTCHAs to let them do what they want. This is known as a CAPTCHA relay attack. This research shows that DCG CAPTCHAs appear to be one of the first CAPTCHA schemes that enable reliable detection of relay attacks. By the time the solver provides the location of moving objects in the given challenge frame, the objects themselves would have moved to other places, which makes the provided information inaccurate. The Web robot attempting the breach could not pass the challenge due either to time out or to generating too many incorrect drag-and-drop operations, which would be recognized by the backend server as different from normal human behavior. As a result, the DCG CAPTCHAs can provide protection against relay attack to some extent. The usability studies of these DCG CAPTCHAs conducted by the team indicate a more user-friendly and playful design direction compared to the conventional text-based CAPTCHAs. The research team is now working toward re-designing DCG CAPTCHAs so that automated or semi-automated attacks can be made difficult while still retaining their inherent usability advantages and tolerance to relay attacks. The team has been working with companies such as Are You a Human which has been offering the first commercial instantiation of DCG CAPTCHAs.
Posted on: Fri, 29 Aug 2014 07:05:19 +0000
Trending Topics
Recently Viewed Topics
© 2015