CAPTCHA: THE SECURITY THROUGH OBSCURITY ABSTRACT Forums, Blogs, Email addresses, video sharing sites and others

have become a target to either commercial or non-commercial spam. Spammers use bots to crawl through websites and pick up email addresses, post spam or consume the accounts of them. Excessive server loads, illegal spam, theft of resources and many were all consequences of spamming. This paper talks about CAPTCHA as a solution to limit the spamming. 1.INTRODUCTION A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is a programthat generates and grades tests that are human solvable, but intends to be beyond the capabilities of currentcomputer programs [1]. The term "CAPTCHA" was coined in 2000 by Luis von Ah n, Manuel Blum, Nicholas Hopperand John Langford of Carnegie Mellon University. At the time, they developed the first CAPTCHA to be used by Yahoo. [2]. This technology is now almost a standard security mechanism for defending against undesirable Internetbots programs, such as those spreading junk emails and those grabbing thousands of free email accountsinstantly. It has found widespread application on numerous commercial web sites including Google, Yahoo, and Microsofts MSN. [3]T h e m o s t c o m m o n u s e o f C A P T C H A o n t h e w e b t o d a y i s t o t r y p r e v e n t i n g t h e r e p e a t e d l y a u t o m a t i c submission of forms by bots, usually for the purpose of spam. By adding a CAPTCHA to form, it can cut downon the amount of spam received via a contact form or can prevent bots from signing up for accounts on thewebsite.Spamming is among the top few reasons, which todays webmasters have to deal with. In the other hand,CAPTCHA is among a few successful techniques which used by almost all of the web sites to control the automated spamming activitiesThe most widely used CAPTCHA is the text -based schemes, which rely on text images distortion to makethem unrecognizable to recognition programs. There are many other types covered up next 2.TYPES OF CAPTCHA By far, the most common type of CAPTCHA involves the use of letters that are arranged randomly and aredistorted in some way with various background colors. These are the ones that you will most likely have seenwhen signing up for an e-mail account. But actually, other alternatives do exist [4]. 2.1Character-Based CAPTCHA This category means that a string of characters is presented to the user. This string can contain either wordsor random alphanumeric characters (See Figure 1). Figure1. Different kinds of character-based CAPTCHA with different level of distortion [5]

2.2 Image-Based CAPTCHA Images or pictures are presented to the user. This is normally in the form of an identifiable real-world object,but can also be presented in the form of shapes. The task is to identify the object shown in the picture.The problem in this type of CAPTCHA is that it needs a large set of pictures to become effective which will lead to consume a large amount of server space. 2.3 Anomaly-Based CAPTCHA Users are asked to determine which object, or character or shape does not b e l o n g i n a s e t o f i m a g e s displayed on the screen. This type of CAPTCHA has the same disadvantage of the Image-based CAPTCHA..

2.4 Recognition-Based CAPTCHA The users need to determine what is being presented to them. In the case o f a c h a r a c t e r b a s e d a n d recognition based CAPTCHA the user needs to identify and input the character string that is presented to them. 2.5Sound-Based CAPTCHA The user is presented with an audio version of a CAPTCHA. The user listens to the audio file and inputs theiranswer. A sound based CAPTCHA can be presented in two formats,1. Spoken words or numbers.2. Sounds related to an image.T h i s C A P T C H A i s e f f e c t i v e f o r t h e people who have visual impairment. It is, probabl y , t h e s e c o n d m o s t common type of CAPTCHA (Figure 2). Figure 2.An example of Text/Audio CAPTCHA from ReCAPTCHA [6] 3. APPLICATIONS OF CAPTCHA CAPTCHA has several applications for practical security, including [7] : 3.1 Preventing Comment Spam in Blogs Most bloggers are familiar with programs that submit bogus comments, usually for the purpose of raisingsearch engine ranks of some website . This is called comment spam. By using a CAPTCHA, only humans can enter comments on a blog. There is no need to make users sign up before they enter a comment, and nolegitimate comments are ever lost.

3.2Protecting Website Registration Several companies (Yahoo!, Microsoft, etc.) offer free email services. Up until a few years ago, most of theseservices suffered from a specific type of attack "bots" that would sign up for thousands of email accounts

every minute. The solution to this problem was to use CAPTCHAs to ensure that only humans obtain freea c c o u n t s . I n g e n e r a l , f r e e s e r v i c e s s h o u l d b e p r o t e c t e d w i t h a C A P T C H A i n o r d e r t o p r e v e n t a b u s e b y automated scripts. 3.3Protecting Email Addresses from Scrapers Spammers crawl the Web to search email addresses posted in clear text. CAPTCHA provide an effectivemechanism to hide email addresses from Web scrapers. The idea is to require users to solve a CAPTCHAbefore showing the email address. 3.4Online Polls In November 1999, http ://www.slashdot.org released an online poll asking which graduate school in computerscience was the best. As is the case with most online polls, IP addresses of voters were recorded in order toprevent single users from voting more than once. However, students at Carnegie Mellon found a way to stuffthe ballots using programs that voted for CMU thousands of times. CMU's score started growing rapidly. Thenext day, students at MIT wrote their own program and the poll became a contest between voting "bots." MITfinished with 21,156 votes, Carnegie Mellon with 21,032 and every other school with less than 1,000.Can the result of any online poll be trusted?! Not unless the poll ensures that only humans can vote. 3.5Preventing Dictionary Attacks CAPTCHA can also be used to prevent dictionary attacks in password systems. The idea is simple: prevent ac o m p u t e r f r o m b e i n g a b l e t o i t e r a t e t h r o u g h t h e e n t i r e s p a c e o f p a s s w o r d s b y r e q u i r i n g i t t o s o l v e a CAPTCHA after a certain number of unsuccessful logins. This is better than the classic approach of lockingan account after a sequence of unsuccessful logins , since doing so allows an attacker to lock accounts aswill. 3.6Search Engine Bots It is sometimes desirable to keep WebPages un-indexed to prevent others from finding them easily. There isan html tag to prevent search engine bots from reading web pages. The tag, however, doesn't guarantee thatbots won't read a web page. It only serves to say "no

bots, please." Search engine bots, since they usuallybelong to large companies, respect web pages that don't want to allow them in. However, in order to trulyguarantee that bots won't enter a web site, CAPTCHAs are needed. 3.7Worms and Spam CAPTCHA also offer a conceivable solution against email worms and spam: "I will only accept an email if Iknow there is a human behind the other computer." A few companies are already marketing this idea. 4.CAPTCHA D EVELOPMENT Developers have recognized the accessibility shortcomings of the visual CAPTCHA and have begun researchinto sound-based CAPTCHA. One major shortcoming of CAPTCHA based on spoken text or numbers is thatthe audio has to be distorted to defeat the use of automated speech recognition to solve the challenges.Because of this distortion it becomes difficult even for a human to differentiate between the distortion and thevalid data [8]. 5.CAPTCHA FUTURE CAPTCHA design should pay attention to the values of universal usability. Tools should support a large rangeof users of different backgrounds and abilities. Current CAPTCHA systems create a separation between theirvisual and audio CAPTCHA. The audio CAPTCHA is essentially a distinct system with a completelyindependent development and maintenance path. Alternatively, the visual and audio CAPTCHA can be joinedproducts into one single system in which the audio is directly related to the visual elements that are presentedto the user. This type of CAPTCHA will be more accessible for users with visual impairments, as well ashaving possible benefits of easy adaptation for different languages and cultures. 6.CONCLUSION Sites with attractive resources and millions of users will always need access control systems that limit the badusing of them. At that level, it is reasonable to employ many concurrent approaches, including audio andvisual CAPTCHA, to do so. However, it must be noted that users with disabilities can interact with a givenresource in a reasonable amount of time. 7.R EFERENCES [1] L von Ahn, M Blum and J Langford. Telling Humans and Computer Apart Automatically, CACM, V47,No2, 2004 [2] The Official CAPTCHA Site. Located on the Internet athttp://www.captcha.net/ . Last visited: 12 December, 2008. [3] J Yan, A Salah El Ahmad," A Low-cost Attack on a Microsoft CAPTCHA".