CAPTCHA
A CAPTCHA (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human.
The term was coined in 2003 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford.[1] The most common type of CAPTCHA was first invented in 1997 by Mark D. Lillibridge, Martin Abadi, Krishna Bharat, and Andrei Z. Broder. This form of CAPTCHA requires that the user type the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appears on the screen. Because the test is administered by a computer, in contrast to the standard Turing test that is administered by a human, a CAPTCHA is sometimes described as a reverse Turing test. This term is ambiguous because it could also mean a Turing test in which the participants are both attempting to prove they are the computer.
This user identification procedure has received many criticisms, especially from disabled people, but also from other people who feel that their everyday work is slowed down by distorted words that are illegible even for users with no disabilities at all.[2] It takes the average person approximately 10 seconds to solve a typical CAPTCHA.[3]
Origin and inventorship
Since the early days of the Internet, users have wanted to make text illegible to computers. The first such people could be hackers, posting about sensitive topics to online forums they thought were being automatically monitored for keywords. To circumvent such filters, they would replace a word with look-alike characters. HELLO could become |-|3|_|_()
or )-(3££0
, as well as numerous other variants, such that a filter could not possibly detect all of them. This later became known as leetspeak.[4]
Subsequent to that work, two teams of people have claimed to be the first to invent the CAPTCHAs used throughout the Web today. The first team consists of Mark D. Lillibridge, Martín Abadi, Krishna Bharat, and Andrei Broder, who used CAPTCHAs in 1997 at AltaVista to prevent bots from adding URLs to their search engine. Looking for a way to make their images resistant to OCR attack, the team looked at the manual of their Brother scanner, which had recommendations for improving OCR's results (similar typefaces, plain backgrounds, etc.). The team created puzzles by attempting to simulate what the manual claimed would cause bad OCR.
The second team to claim inventorship of CAPTCHAs consists of Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford, who first described CAPTCHAs in a 2003 publication[1] and subsequently received much coverage in the popular press. Their notion of CAPTCHA covers any program that can distinguish humans from computers, including many different examples of CAPTCHAs.
The controversy of inventorship has been settled by the existence of a 1998 patent by Lillibridge, Abadi, Bharat, and Broder,[5] which predates other publications by several years. Though the patent does not use the term CAPTCHA, it describes the ideas in detail and precisely depicts the graphical CAPTCHAs used in the Web today.
Characteristics
CAPTCHAs are, by definition, fully automated, requiring little human maintenance or intervention to administer. This has obvious benefits in cost and reliability.
By definition, the algorithm used to create the CAPTCHA must be made public, though it may be covered by a patent. This is done to demonstrate that breaking it requires the solution to a difficult problem in the field of artificial intelligence (AI) rather than just the discovery of the (secret) algorithm, which could be obtained through reverse engineering or other means.
Modern text-based CAPTCHAS are designed such that they require the simultaneous use of three separate abilities—invariant recognition, segmentation, and parsing—to correctly complete the task with any consistency.[6]
- Invariant recognition refers to the ability to recognize the large amount of variation in the shapes of letters. There are nearly an infinite number of versions for each character that a human brain can successfully identify. The same is not true for a computer, and teaching it to recognize all those differing formations is an extremely challenging task.
- Segmentation, or the ability to separate one letter from another, is also made difficult in CAPTCHAs, as characters are crowded together with no white space in between.
- Context is also critical. The CAPTCHA must be understood holistically to correctly identify each character. For example, in one segment of a CAPTCHA, a letter might look like an “m.” Only when the whole word is taken into context does it become clear that it is a “u” and an “n.”
Each of these problems pose a significant challenge for a computer, even in isolation. The presence of all three at the same time is what makes CAPTCHAs difficult to solve.[7]
Unlike computers, humans excel at this type of task. While segmentation and recognition are two separate processes necessary for understanding an image for a computer, they are part of the same process for a person. For example, when an individual understands that the first letter of a CAPTCHA is an “a”, that individual also understands where the contours of that “a” are, and also where it melds with the contours of the next letter. Additionally, the human brain is capable of dynamic thinking based upon context. It is able to keep multiple explanations alive and then pick the one that is the best explanation for the whole input based upon contextual clues. This also means it will not be fooled by variations in letters.
Accessibility
CAPTCHAs based on reading text — or other visual-perception tasks — prevent blind or visually impaired users from accessing the protected resource.[8] However, CAPTCHAs do not have to be visual. Any hard artificial intelligence problem, such as speech recognition, can be used as the basis of a CAPTCHA. Some implementations of CAPTCHAs permit users to opt for an audio CAPTCHA.[9] Other implementations do not require users to enter text, instead asking the user to pick images with common themes from a random selection.[10]
For non-sighted users (for example blind users, or the color blind on a color-using test), visual CAPTCHAs present serious problems.[11] Because CAPTCHAs are designed to be unreadable by machines, common assistive technology tools such as screen readers cannot interpret them. Since sites may use CAPTCHAs as part of the initial registration process, or even every login, this challenge can completely block access. In certain jurisdictions, site owners could become targets of litigation if they are using CAPTCHAs that discriminate against certain people with disabilities. For example, a CAPTCHA may make a site incompatible with Section 508 in the United States. In other cases, those with sight difficulties can choose to identify a word being read to them.
While providing an audio CAPTCHA allows blind users to read the text, it still hinders those who are both blind and deaf. According to sense.org.uk, about 4% of people over 60 in the UK have both vision and hearing impairments. There are about 23,000 people in the UK who have serious vision and hearing impairments. According to The National Technical Assistance Consortium for Children and Young Adults Who Are Deaf-Blind (NTAC), the number of deafblind children in the USA increased from 9,516 to 10,471 during the period 2004 to 2012.[12] Gallaudet University quotes 1980 to 2007 estimates which suggest upwards of 35,000 fully deafblind adults in the USA.[13] Deafblind population estimates depend heavily on the degree of impairment used in the definition.
The use of CAPTCHA thus excludes a small number of individuals from using significant subsets of such common Web-based services as PayPal, GMail, Orkut, Yahoo!, many forum and weblog systems, etc.
Even for perfectly sighted individuals, new generations of graphical CAPTCHAs, designed to overcome sophisticated recognition software, can be very hard or impossible to read.
A method of improving the CAPTCHA to ease the work with it was proposed by ProtectWebForm and was called "Smart CAPTCHA".[14] Developers advise to combine the CAPTCHA with JavaScript support. Since it is too hard for most of spam robots to parse and execute JavaScript, using a simple script which fills the CAPTCHA fields and hides the image and the field from human eyes was proposed.
One alternative method involves displaying to the user a simple mathematical equation and requiring the user to enter the solution as verification. Although these are much easier to defeat using software, they are suitable for scenarios where graphical imagery is not appropriate, and they provide a much higher level of accessibility for blind users than the image-based CAPTCHAs. These are sometimes referred to as MAPTCHAs (M = 'Mathematical'). However, these may be difficult for users with a cognitive disorder.
Other kinds of challenges, such as those that require understanding the meaning of some text (e.g., a logic puzzle, trivia question, or instructions on how to create a password) can also be used as a CAPTCHA. Again, there is little research into their resistance against countermeasures.
Relation to AI
While used mostly for security reasons, CAPTCHAs also serve as a benchmark task for artificial intelligence technologies. According to an article by Ahn, Blum and Langford, “Any program that passes the tests generated by a CAPTCHA can be used to solve a hard unsolved AI problem.”
They argue that the advantages of using hard AI problems as a means for security are twofold. Either the problem goes unsolved and there remains a reliable method for distinguishing humans from computers, or the problem is solved and a difficult AI problem is resolved along with it. In the case of image and text based CAPTCHAs, if an AI were capable of accurately completing the task without exploiting flaws in a particular CAPTCHA design, then it would have solved the problem of developing an AI that is capable of complex object recognition in scenes.
Solving CAPTCHA
Early success
In its earliest iterations there was not a systematic methodology for designing or evaluating CAPTCHAs.[7] As a result, there were many instances in which CAPTCHAs were of a fixed length and therefore automated tasks could be constructed to successfully make educated guesses about where segmentation should take place. Other early CAPTCHAs contained limited sets of words, which made the test much easier to game. Still others made the mistake of relying too heavily on background confusion in the image. In each case, algorithms were created that were successfully able to complete the task by exploiting these design flaws. These methods proved brittle however, and slight changes to the CAPTCHA were easily able to thwart them.
Modern CAPTCHAs
Modern CAPTCHAS like reCAPTCHA no longer rely just on fixed patterns but instead present variations of characters that are often collapsed together, making segmentation almost impossible. These newest iterations have been much more successful at warding off automated tasks.[7]
In 2009, Professor Anand Gupta of Netaji Subhas Institute of Technology led a team of researchers (Ashish Jain, Tushar Pahwa, Aditya Raj) to propose a novel scheme of embedding numbers in text CAPTCHAS (called Sequenced Tagged Captchas).[15] It incorporates two levels of testing that includes identification of displayed characters, and secondly, interpreting the logical ordering based on the embedded numbers. This adds significantly to the difficulty of breaking the CAPTCHA since the numbers signifying the ordering have to be separately identified; yet it can be dynamically generated.
In October 2013, artificial intelligence company Vicarious claimed that it had developed software that was able to solve modern CAPTCHAs with character recognition rates of up to 90%.[16] Unlike the previous one-off successes that made use of flaws in specific CAPTCHA tests, Vicarious asserted that its algorithms were powered by a holistic vision system modeled after insights from the human brain. The company also indicated that its AI was not specifically designed to complete CAPTCHA but rather to correctly recognize photographs, videos, and other visual data. However, Luis von Ahn, a pioneer of early CAPTCHA and founder of reCAPTCHA, expressed skepticism, stating: "It's hard for me to be impressed since I see these every few months." He pointed out that 50 similar claims to that of Vicarious had been made since 2003.[17]
Circumvention
There are a few approaches to defeating CAPTCHAs: using cheap human labor to recognize them, exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA, and finally improving character recognition software.[18] According to former Google click fraud czar Shuman Ghosemajumder, there are numerous criminal services which solve CAPTCHAs automatically.[19]
Accessibility
As many CAPTCHAs have the option of audio CAPTCHAs for the visually impaired, an audio file of the CAPTCHA can be downloaded that reads out the CAPTCHA which can be decoded using a speech to text synthesis software with greater accuracy and the obtained result can be used to serve as the input to the CAPTCHA asked. But noises in the sound file can be obstructive. The Australian Communications Consumer Action Network's CEO Teresa Corbin has stated “CAPTCHAs fundamentally fail to properly recognise people with disability as human”.[20]
Cheap or unwitting human labor
It may be possible to subvert CAPTCHAs by relaying them to a sweatshop of human operators who are employed to decode CAPTCHAs. A 2005 paper from a W3C working group stated that such an operator "could easily verify hundreds of them each hour".[8] Nonetheless, persons such as Brian Warner, the developer of the Petmail spam-resistant communication system, have suggested that this would still not be economically viable.[21] Another technique used consists of using a script to re-post the target site's CAPTCHA as a CAPTCHA to a site owned by the attacker, which unsuspecting humans visit and correctly solve within a short while for the script to use.[22]
Insecure implementation
Howard Yeend has identified two implementation issues with poorly designed CAPTCHA systems:[23]
- Some CAPTCHA protection systems can be bypassed without using OCR simply by reusing the session ID of a known CAPTCHA image
- CAPTCHAs residing on shared servers also present a problem; a security issue on another virtual host may leave the CAPTCHA issuer's site vulnerable
Sometimes, if part of the software generating the CAPTCHA is client-side (the validation is done on a server but the text that the user is required to identify is rendered on the client side), then users can modify the client to display the unrendered text. Some CAPTCHA systems use MD5 hashes stored client-side, which may leave the CAPTCHA vulnerable to a brute-force attack.
Computer character recognition
Although CAPTCHAs were originally designed to defeat standard OCR software designed for document scanning, a number of research projects have proven that it is possible to defeat many CAPTCHAs with programs that are specifically tuned for a particular type of CAPTCHA. For CAPTCHAs with distorted letters, the approach typically consists of the following steps:
- Removal of background clutter, for example with color filters and detection of thin lines.
- Segmentation, i.e., splitting the image into segments containing a single letter.
- Identifying the letter for each segment.
Step 1 is typically very easy to do automatically. In 2005, it was also shown that neural network algorithms have a lower error rate than humans in step 3.[24] The only part where humans still outperform computers is step 2. If the background clutter consists of shapes similar to letter shapes, and the letters are connected by this clutter, the segmentation becomes nearly impossible with current software. Hence, an effective CAPTCHA should focus on step 2, the segmentation.
Neural networks have been used with great success to defeat CAPTCHAs as they are generally indifferent to both affine and non-linear transformations. As they learn by example rather than through explicit coding, with appropriate tools very limited technical knowledge is required to defeat more complex CAPTCHAs.
Some CAPTCHA-defeating projects:
- Mori et al. published a paper in IEEE CVPR'03 detailing a method for defeating one of the most popular CAPTCHAs, EZ-Gimpy, which was tested as being 92% accurate in defeating it.[25] The same method was also shown to defeat the more complex and less-widely deployed Gimpy program 33% of the time. However, the existence of implementations of their algorithm in actual use is indeterminate at this time.
- PWNtcha has made significant progress in defeating commonly used CAPTCHAs, which has contributed to a general migration towards more sophisticated CAPTCHAs.[26]
- A number of Microsoft Research papers describe how computer programs and humans cope with varying degrees of distortion.[24]
Image recognition CAPTCHAs vs. character recognition CAPTCHAs
With the demonstration (through research publications) that character recognition CAPTCHAs are vulnerable to computer vision based attacks, some researchers have proposed alternatives to character recognition, in the form of image recognition CAPTCHAs which require users to identify simple objects in the images presented. The argument is that object recognition is typically considered a more challenging problem than character recognition, due to the limited domain of characters and digits in the English alphabet.
Some proposed image recognition CAPTCHAs include:
- Chew et al. published their work in the 7th International Information Security Conference, ISC'04, proposing three different versions of image recognition CAPTCHAs, and validating the proposal with user studies. It is suggested that one of the versions, the anomaly CAPTCHA, is best with 100% of human users being able to pass an anomaly CAPTCHA with at least 90% probability in 42 seconds.[27]
- Datta et al. published their paper in the ACM Multimedia '05 Conference, named IMAGINATION (IMAge Generation for INternet AuthenticaTION), proposing a systematic way to image recognition CAPTCHAs. Images are distorted in such a way that state-of-the-art image recognition approaches (which are potential attack technologies) fail to recognize them.[28]
- Microsoft (Jeremy Elson, John R. Douceur, Jon Howell, and Jared Saul) have developed Animal Species Image Recognition for Restricting Access (ASIRRA) which ask users to distinguish cats from dogs. Microsoft had a beta version of this for websites to use.[29] They claim "Asirra is easy for users; it can be solved by humans 99.6% of the time in under 30 seconds. Anecdotally, users seemed to find the experience of using Asirra much more enjoyable than a text-based CAPTCHA." This solution was described in a 2007 paper to Proceedings of 14th ACM Conference on Computer and Communications Security (CCSIts)[30] However, this project was closed in October 2014 and is no longer available.[31]
See also
References
- 1 2 von Ahn, Luis; Blum, Manuel; Hopper, Nicholas J.; Langford, John (May 2003). CAPTCHA: Using Hard AI Problems for Security. EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques.
- ↑ Disabled Australian starts petition to kill CAPTCHA, an article by Tim Schiesser (August 5, 2013, 9:30 AM)
- ↑
- ↑ "h2g2 - An Explanation of l33t Speak - Edited Entry". Retrieved 2015-06-03.
- ↑ U.S. Patent 6,195,698. Method for selectively restricting access to computer systems. Filed on Apr 13, 1998 and granted on Feb 27, 2001. Available at http://www.google.com/patents/US6195698
- ↑ Chellapilla, Kumar; Larson, Kevin; Simard, Patrice; Czerwinski, Mary. "Designing Human Friendly Human Interaction Proofs (HIPs)" (PDF). Microsoft Research.
- 1 2 3 Bursztein, Elie; Martin, Matthieu; Mitchell, John C. (2011). "Text-based CAPTCHA Strengths and Weaknesses". ACM Computer and Communication Security 2011 (ACM Conference CSS'2011). Stanford University.
- 1 2 May, Matt (2005-11-23). "Inaccessibility of CAPTCHA". W3C. Retrieved 2015-04-27.
- ↑ The article Proposal for an accessible Captcha describes how audio and visual test can be combined to increase accessibility in a Captcha.
- ↑ "HumanAuth supports ADA and Section 508 requirements without forcing users to read distorted CAPTCHA text". Retrieved 2006-10-23.
- ↑ Shea, Michael (19 November 2015). "CAPTCHA: Spambots, eBooks and the Turing Test". The Skinny. Retrieved 9 January 2016.
- ↑ "National Child Count Annual Reports". TA&D Network. National Consortium on Deaf-Blindness. November 30, 2012. Retrieved 27 November 2013.
- ↑ Harrington, Tom; Rutherford, Jane. "American deaf-blind population". Deaf Statistics. Gallaudet University Library. Retrieved 27 November 2013.
- ↑ "Smart Captcha". Protect Web Form .COM. 2006-10-08. Retrieved 2013-09-28.
- ↑ "Sequenced Tagged Captcha : Generation and its Analysis", Delhi, 6–7 March 2009.
- ↑ Summers, Nick. "Vicarious claims its AI software can crack up to 90% of CAPTCHAs offered by Google, Yahoo and PayPal". TNW.
- ↑ Hof, Robert. "AI Startup Vicarious Claims Milestone In Quest To Build A Brain: Cracking CAPTCHA". Forbes.
- ↑ Walsh, Eric (October 28, 2013). "CAPTCHA he cracked by artificial intelligence". mybroadband.co.za. Reuters. Retrieved 27 November 2013.
- ↑ Ghosemajumder, Shuman (8 December 2015). "The Imitation Game: The New Frontline of Security". InfoQ. InfoQ. Retrieved 8 December 2015.
- ↑ Sharwood, Simon (5 Aug 2013). "They don't recognise us as HUMAN: Disability groups want CAPTCHAs killed". The Register. Archived from the original on 2014-08-26. Retrieved 2015-04-27.
- ↑ "Hire People To Solve CAPTCHA Challenges". Petmail Design. 2005-07-21. Retrieved 2015-04-27.
- ↑ Doctorow, Cory (2004-01-27). "Solving and creating captchas with free porn". Boing Boing. Archived from the original on 2006-02-09. Retrieved 2015-04-27.
- ↑ Yeend, Howard (2005). "Breaking CAPTCHAs Without Using OCR". (pureMango.co.uk). Retrieved 2006-08-22.
- 1 2 See for instance: Chellapilla, Kumar; Larson, Kevin; Simard, Patrice; Czerwinski, Mary (2005). "Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs)" (PDF). Microsoft Research. Retrieved 27 November 2013.
- ↑ "Breaking a Visual CAPTCHA" (PDF). Cs.berkeley.edu. 2002-12-10. Retrieved 2013-09-28.
- ↑ "PWNtcha – Caca Labs". Sam.zoy.org. 2009-12-04. Retrieved 2013-09-28.
- ↑ "Image Recognition CAPTCHAs" (PDF). Cs.berkeley.edu. Retrieved 2013-09-28.
- ↑ "Imagination Paper". Infolab.stanford.edu. Retrieved 2013-09-28.
- ↑ "Asirra is a human interactive proof that asks users to identify photos of cats and dogs".
- ↑ "Asirra: A CAPTCHA that Exploits Interest-Aligned Manual Image Categorization".
- ↑ "Microsoft's Asirra project closed.".
External links
- CAPTCHA at DMOZ
- Verification of a human in the loop, or Identification via the Turing Test, Moni Naor, 1996.
- The Captcha Project
- Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web, a W3C Working Group Note.
- Captcha History from PARC.
- Reverse Engineering CAPTCHAs Abram Hindle, Michael W. Godfrey, Richard C. Holt, 2009-08-24