Security Risks with Using CAPTCHAs
Final Project CS854 Fall 2006Presented by Allan Caine
December 4, 2006
Allan Caine 2
OutlineBackgroundOur Proposed Model and WhyMulti-point attackAttacking “Repeaters”
Allan Caine 3
Background
Password/authentication System
Human called the ProverGenerally succeeds
Bot called the ProverGenerally fails
Server/System
CAPTCHA called the Verifier
Allan Caine 4
Current Paradigm
Purchase RequestKey: k
challenge
E-commerce web site.
Bot
CAPTCHA Server
CGI: kCGI: k
Expects 3882948
Allan Caine 5
Proposed ModelE-commerce web site. BotCAPTCHA
Server
The attacker cannot perceive the presence of a third party.
Allan Caine 6
Example
Pre-sale advertising
Transaction Processing
Allan Caine 7
Consequence: Multi-point Attack
The resemblance is uncanny. Both use the same 3rd party CAPTCHA provider, audienceview.com.
Breaking one CAPTCHA, breaks both sites. Attacker has two points of attack and more incentive to attempt the attack.
Allan Caine 8
All of these Sites are Compromised!
www.tickets.com
And many other non-baseball sites
Allan Caine 9
Attacking Repeaters
Purchase RequestKey: k
challenge
E-commerce web site.
MLB & yourtube.com
Bot
CAPTCHA Server
CGI: kCGI: k
Expects 3882948
Allan Caine 10
Two Basic StepsLearn off-lineAttack on-line
Allan Caine 11
1st Step: Learn Off-line
Clipped
Cleaned
Templates
Allan Caine 12
2nd Step:Attack On-line
Sub-stepsPre-process the CAPTCHACorrelate and Vote
Allan Caine 13
Preprocess
K-means analysis Segregation
Targets
Allan Caine 14
Correlate and Vote
Best Match!
Usually, we get a correct match. Occasionally, due to image noise in the target, we get a spurious result.
No problem! We ask the CAPTCHA server for another image with the same solution. We try again to cross check our work.
Allan Caine 15
“Election” Results
The digit getting the most votes for a particular position “wins” the election and is our choice for the solution.
Allan Caine 16
So What?Strategy depends upon a specific weakness (repeating) and yet:
Unlimited access to training data (common fault)Strategy suggests how to segregate charactersLearning complex strategies perhaps break other CAPTCHAs
Allan Caine 17
Future DirectionsApply the learn off-line/attack on-line strategy to break other CAPTCHAs (i.e. break yourtube.com and audienceview.com)Use analysis to build more robust verifiers (i.e. k not constant)Build prototype e-commerce websites according to our model and test.