What Is It?

CAPTCHA was made to tell if a human or robot was on the other end of the form. It does this because it’s currently difficult to launch an attack against an image as the images to have to be parsed. It is a good example of a challenge response.

Threats

Segmentation Attack: ability to segment the words in a CAPTCHA and guess them.
Pre-processing: up-sampling, black-white conversion, and then thinning
Pattern Based Detection: dot shape, loop shape, cross shape as it pertains to alphabets
Character Segmentation: splitting the characters apart
Anything can be broken with the right amount of focus. CAPTCHA, as complicated as it is for AI’s to brute force – can be brute forced – by intelligently written software that does advanced attacks. In short: always be vigilant.

Counters

CCT (Crowding Characters Together): crowding the characters together makes it harder for the computer to guess
Global Warping: warps the entire image to make it harder to read. Thickness of the characters vary.
Random Text Strings. This will make it harder for the attacking software to guess.
Multiple Font Types. The attacking software will need to parse through more fonts.
In summary, a good CAPTCHA system, should:
  1. Avoid exploitable invariants – it should check to make sure the randomized words are random
  2. Segmentation resistant: prevent any AI from seperating characters
  3. Disable machine learning attacks: so that machines can’t keep learning

More Reading

The Robustness of Google’s CAPTCHA by Ahmad, Yan, and Tayara (most of the article above is sourced from this report)

Advertisements