TY - GEN
T1 - Towards evaluating the security of real-world deployed image captchas
AU - Zhao, Binbin
AU - Weng, Haiqin
AU - Ji, Shouling
AU - Chen, Jianhai
AU - Wang, Ting
AU - He, Qinming
AU - Beyah, Raheem
N1 - Publisher Copyright:
© 2018 Association for Computing Machinery.
PY - 2018/10/15
Y1 - 2018/10/15
N2 - Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas. We believe our findings shed light on facilitating the ecosystem of image captchas.
AB - Nowadays, image captchas are being widely used across the Internet to defend against abusive programs. However, the ever-advancing capabilities of computer vision techniques are gradually diminishing the security of image captchas; yet, little is known thus far about the vulnerability of image captchas deployed in real-world settings. In this paper, we conduct the first systematic study on the security of image captchas in the wild. We classify the currently popular image captchas into three categories: selection-, slide- and click-based captchas. We propose three effective and generic attacks, each against one of these categories. We evaluate our attacks against 10 real-world popular image captchas, including those from tencent.com, google.com, and 12306.cn. Furthermore, we compare our attacks with 9 online image recognition services and human labors from 8 underground captcha-solving services. Our studies show that: (1) all of those popular image captchas are vulnerable to our attacks; (2) our attacks significantly outperform the state-of-the-arts in almost all the scenarios; and (3) our attacks achieve effectiveness comparable to human labors but with much higher efficiency. Based on our evaluation, we identify the design flaws of those popular schemes, the best practices, and the design principles towards more secure captchas. We believe our findings shed light on facilitating the ecosystem of image captchas.
UR - http://www.scopus.com/inward/record.url?scp=85056743337&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85056743337&partnerID=8YFLogxK
U2 - 10.1145/3270101.3270104
DO - 10.1145/3270101.3270104
M3 - Conference contribution
AN - SCOPUS:85056743337
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 85
EP - 96
BT - AISec 2018 - Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2018
PB - Association for Computing Machinery
T2 - 11th ACM Workshop on Artificial Intelligence and Security, AISec 2018, co-located with CCS 2018
Y2 - 19 October 2018
ER -