Doctor of Philosophy
School of Computer Science and Software Engineering
Nguyen, Duc Vu, Contributions to Text-based CAPTCHA Security, Doctor of Philosophy thesis, School of Computer Science and Software Engineering, University of Wollongong, 2014. http://ro.uow.edu.au/theses/4223
A CAPTCHA is a type of challenge-response test used in computing to determine whether or not the user is human. It is a standard defence mechanism against bots, or automated programs, that attempt to use web-based services meant for human users. While there are many dierent types of CAPTCHA schemes that have emerged over the years, to date, the most widely used type is text-based CAPTCHAs in the form of a single 2D image of distorted text. Unfortunately, a large number of text-based CAPTCHA schemes have been successfully broken. Thus, animated, 3D or 4D text-based CAPTCHAs are seen as alternative paradigms which have been explored by a number of CAPTCHA designers. These new types of CAPTCHAs are meant to overcome the limitations of traditional CAPTCHAs and are supposed to be more robust and secure against automated attacks. However, while there is a growing number of design proposals for animated, 3D and 4D text-based CAPTCHAs, very little research has been devoted to examining the robustness of these alternative types.
The primary goal of this research was to systematically investigate the security of existing text-based CAPTCHAs, focusing on animated, 3D and 4D types. First, we analyse the security of alternative designing paradigms by developing a toolbox with a set of novel algorithms and attacks. Our successful attacks on a large number of existing real-world schemes give rise to the conclusion that they are no more secure than their static 2D counterparts. Next, we explain why those schemes failed to withstand the attacks by highlighting design aws and give recommendations which should be used or avoided in future CAPTCHA designs. We also show that segmentation-resistance, a widely accepted principle in designing traditional text-based CAPTCHAs, is still one of the necessary design principles that apply to animated, 3D and 4D CAPTCHAs. Then we propose a segmentation-resistant CAPTCHA scheme based on the concept of identifying character locations, rather than merely recognising characters. We show that this scheme is robust against current attack techniques. Our approach helps enhance the segmentation-resistant principle and broadens the scope for designing secure and usable CAPTCHAs.