Attackers are using optical character recognition and machine learning, as well as crowdsourcing through third parties, to solve CAPTCHAs Attackers are using optical character recognition and machine learning, as well as crowdsourcing through third parties, to solve CAPTCHAs Attackers are using optical character recognition and machine learning, as well as crowdsourcing through third parties, to solve a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart).
CAPTCHA is a challenge-response test used to ensure that the response is generated by a person, not a computer. Users are asked to read and type a string of distorted characters in order to ensure that the user is a human, not a computer trying to access a website or account.
Attackers use automation in order to scrape data from websitesor add comments. Automation is a real problem for web applications. Application owners introduced the CAPTCHA, which gives a visitor to a website a test to determine whether it is human or automation, explained Tal Beery, web security research team leader at Impervas Application Defense Center.
Using our array of honey pots, we were able to see attacks that bypassed the CAPTCHA and allowed automation against these sites, he told Infosecurity.
Beery explained that spammers are using third parties to solve CAPTCHA, so-called crowdsourcing. Through this technique, third parties establish networks of CAPTCHA-solving individuals who get paid a small amount to solve thousands of CAPTCHAs. Spammers then hire these firms to bypass CAPTCHAs for a modest price.
The Imperva report identified improved approaches to CAPTCHA that include using more difficult CAPTCHAs with simple riddles and contextual semantics, which are more difficult for automated tools to solve. These can be used when an automated web user is suspected.
In the report, Imperva advised anti-automation products to bolster CAPTCHA defenses with traffic- based automation detection, behavioral analysis, content analysis, and blacklists. CAPTCHA should be combined with other mechanisms against automation, Beery said.
The report recommended that CAPTCHA security should be balanced with a positive user experience. This can be accomplished by using novel CAPTCHA methods that make the CAPTCHA into something enjoyable, like a mini-game, and by minimizing the number of CAPTCHA challenges that legitimate users encounter.
Article 2 Strengthening CAPTCHA-based Web Security Many of us are familiar with Web sites that force us to identify peculiar, warped letters in cluttered images and enter them into a text box. One of the standard chores of registering with modern Web services is the demonstration that we truly are human beings and not nefarious computer programs set on causing mischief. Yet despite the warped and cluttered characters in these images becoming harder to distinguish as each year passes, Web forums and blog comments still seem to be filled with unwanted spam adverts. Clearly, the system is not working as well as it should. This paper therefore addresses the topic of Web CAPTCHAs Completely Automated Public Turing tests to tell Computers and Humans Apart and discusses how we might make them more effective and long lasting without greatly inconveniencing everyday users [1].
Captchas are an important and widely used modern Internet technology. They reduce the ability of automated agents to programatically exploit Webbased resources such as online email accounts, online polls, Webbased comment systems, Webbased SMS portals and so on (CarnegieMellon University, 2009; Pope and Kaur, 2005; von Ahn, et al., 2003). A captcha is a challenge that authenticates users as human; human users are generally accepted to be much less able to exploit Webbased resources than automated agents. Captchas require users to prove they are human by conveniently exhibiting humanlevel intelligence in some manner (Turing, 1950; von Ahn, et al., 2003). Generally, a user must correctly interpret an image, sound, or text phrase that has been mathematically corrupted with noise, perturbations and transformations, though other types of captcha exist (Baird and Bentley, 2005; Baird, et al., 2005; Bursztein, et al., 2010; Chow, et al., 2008; Coates, et al., 2003; Gossweiler, et al., 2009; Microsoft, 2007; Misra and Gaj, 2006; Datta and Wang, 2006; ShiraliShahreza and ShiraliShahreza, 2007a; von Ahn, et al., 2003). The noise and transformations are intended to make computerbased image or sound recognition effectively intractable. In principle, this means that only humans can provide a correct response and thus gain access to the Web resource protected by the captcha.
Unfortunately, in practice, captchas have not been quite so successful (Chellapilla and Simard, 2005; Golle, 2008; Huang, et al., 2008; Mori and Malik, 2003; Moy, et al., 2004; Yan and El Ahmad, 2008a). Generally, the essential problem in captcha design is the tradeoff between the difficulty of the captcha for automated agents, and the convenience of the captcha for human agents. Figure 1 shows an example of a typical currentday captcha.
To date, the captchas that have been designed and implemented for high traffic sites such as Google, Yahoo and MSN have proven vulnerable to attack (Bursztein, et al., 2011; Bursztein and Bethard, 2009; Protalinski, 2008; VaughanNichols, 2008; Websense Security Labs, 2008a,b,c; 2009). Designers of malicious automated agents have shown themselves to be very capable of overcoming the obfuscation present within captchas, often combining simple heuristics with brute force attacks. In addition to these attacks by realworld malicious users, Web security researchers engage in cat andmouse style research in which captchas are designed and then broken, as an iterated and evolving research challenge (Baird and Bentley, 2005; Baird, et al., 2005; Chellapilla and Simard, 2005; Golle, 2008; Huang, et al., 2008; Microsoft, 2007; Mori and Malik, 2003; Moy, et al., 2004; Yan and El Ahmad, 2008a). This presents a problem for major Web sites relying upon captchas, as researchers who successfully break a captcha system may indirectly assist malicious users. In principle, research helps industrybased captcha system developers to produce robust and convenient captchas. In practice, the delay between captcha systems being overcome and then replaced by a newer and more successful captcha technique, allows malicious users a golden opportunity to abuse Webbased resources. http://firstmonday.org/ojs/index.php/fm/article/view/3630/3145 Article 3 Captcha Generation for Secure Web Services Today internet has become a vital global tool for accessing services. Most of the time these internet sites require registration to access these services .The proliferation of the publicly available services on the Web is a boon for the community at large. But unfortunately it has invited new and novel abuses. Programs (bots and spiders) are being created to steal services and to conduct fraudulent transactions. Free online accounts are being registered automatically many times and are being used to distribute stolen or copyrighted material. Recommendation systems are vulnerable to artificial inflation or deflation of rankings. For example, EBay, a famous auction website allows users to rate a product. Abusers can easily create bots that could increase or decrease the rating of a specific product, possibly changing peoples perception towards the product. Automated computer programs are always looking for a chance to enter these sites and sign up for the massive number of accounts that is used to send spam email. This leads to wastage of resources on sites For this purpose captcha is provided. It is used to verify whether the end user is human or not. In this paper we are presenting a captcha using markov text and time variance. We examine three approaches of captcha generation-Dictionary word, random string and markov text. Dictionary words are easy to read but also easy to guess. Random strings are hard to guess and also hard to read and remember. Markov text provides a way in between the two approaches. Along with the markov text algorithm we use time variance concept. The captcha is refreshed after predefined time without affecting the web page. Automated programs have enough time to apply processes and break the captcha between the duration of form load and submit. Decreasing this duration may add to more security.