Security and Usability Challenges of Moving-Object CAPTCHAs

Similar documents
1 INTRODUCTION. Y. Xu, G. Reynaga, S. Chiasson, J-M. Frahm, F. Monrose, and P. van Oorschot

Security Analysis and Related Usability of Motion-based CAPTCHAs: Decoding Codewords in Motion

THE USABILITY OF CAPTCHAS ON MOBILE DEVICES

User Authentication + Other Human Aspects

How to Tell a Human apart from a Computer. The Turing Test. (and Computer Literacy) Spring 2013 ITS B 1. Are Computers like Human Brains?

Click Based Animation CAPTCHA

Comparing the Usability of RoboFlag Interface Alternatives*

CAPTCHAs and Information Hiding

Virtual U: Defeating Face Liveness Detection by Building Virtual Models From Your Public Photos

Requirements Validation and Negotiation

Cascading versus Indexed Menu Design

Cued Click Point Technique for Graphical Password Authentication

Exploration of 3D Texture and Projection for New CAPTCHA Design

Defenses against Large Scale Online Password Guessing by Using Persuasive Cued Click Points

PixelCAPTCHA. A Unicode Based CAPTCHA Scheme CYBER WORKFORCE ISSUES. Gursev Singh Kalra, Salesforce.com

EVALUATION OF PROTOTYPES USABILITY TESTING

Foundation Level Syllabus Usability Tester Sample Exam

Programmiersprache C++ Winter 2005 Operator overloading (48)

A Generalized Method to Solve Text-Based CAPTCHAs

User Authentication + Human Aspects

PICATCHA MIMS 2011 FINAL PROJECT REPORT SUMMARY

Usable Security Introduction to User Authentication and Human Interaction Proof Research

Accounts and Passwords

Paging vs. Scrolling: Looking for the Best Way to Present Search Results

Effective Threat Modeling using TAM

A Novel Gesture-based CAPTCHA Design for Smart Devices

Towards Systematic Usability Verification

What is a security measure? Types of security measures. What is a security measure? Name types of security measures

Attacking CAPTCHAs for Fun and Profit

Computer Security 4/15/18

Computer Security. 10. Biometric authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Gamified CAPTCHA.

CPSC 467: Cryptography and Computer Security

Machine Learning and CAPTCHAs

Geometry Sixth Grade

MULTIPLE GRID BASED GRAPHICAL TEXT PASSWORD AUTHENTICATION

EVALUATION OF PROTOTYPES USABILITY TESTING

Who are you? Enter userid and password. Means of Authentication. Authentication 2/19/2010 COMP Authentication is the process of verifying that

Visualizing Dynamic Transformations In Interactive Electronic Communication Patricia Search

Mobile Technologies. Mobile Design

Fast and Robust Classification using Asymmetric AdaBoost and a Detector Cascade

Adobe Campaign (15.12) Voluntary Product Accessibility Template

Tracking. Hao Guan( 管皓 ) School of Computer Science Fudan University

MIBA: Multitouch Image-Based Authentication on Smartphones

International Journal of Emerging Technology in Computer Science & Electronics (IJETCSE) ISSN: Volume 14 Issue 2 APRIL 2015

Team : Let s Do This CS147 Assignment 7 (Low-fi Prototype) Report

CPSC 444 Project Milestone III: Prototyping & Experiment Design Feb 6, 2018

CSE120 Wi18 Final Review

Character Recognition

Short-Term Audio-Visual Atoms for Generic Video Concept Classification

CAP 6412 Advanced Computer Vision

Face Recognition Using Vector Quantization Histogram and Support Vector Machine Classifier Rong-sheng LI, Fei-fei LEE *, Yan YAN and Qiu CHEN

Blackboard Collaborate WCAG 2.0 Support Statement August 2016

Requirements Validation and Negotiation (cont d)

C H A P T E R Introduction

ESCAPT: Easy Strategies for Computers to Avoid the Public Turing Test

Aim 2015 to assess pointing skills

Color. Today. part 2. How to Read a Research Paper Components of a Well-written Research Paper 3 Readings for Today

Peripheral drift illusion

A Review on Various Interactive CAPTCHA Techniques Concerning Web Security

Video Aesthetic Quality Assessment by Temporal Integration of Photo- and Motion-Based Features. Wei-Ta Chu

Computer Vision with MATLAB MATLAB Expo 2012 Steve Kuznicki

Usable Privacy and Security, Fall 2011 Nov. 10, 2011

USER INTERACTION DESIGN GUIDELINES

Chapter 3 Image Registration. Chapter 3 Image Registration

Wallpaper Groups and Statistical Geometry

SFU CMPT week 11

Innovative Graphical Passwords using Sequencing and Shuffling Together

Graphical User Authentication Using Random Codes

Terminology Management

SO OS Secure Online Voting System

FDA Initiatives on Human Factors and Usability for Medical Devices Molly Follette Story, PhD FDA /CDRH / ODE

MIS5206-Section Protecting Information Assets-Exam 1

DISABILITY LAW SERVICE BEST PRACTICES FOR AN ACCESSIBLE AND USABLE WEBSITE

MIAMI-DADE COUNTY PUBLIC SCHOOLS District Pacing Guide GEOMETRY HONORS Course Code:

Automated Canvas Analysis for Painting Conservation. By Brendan Tobin

A Survey on Graphical Passwords in Providing Security

SIMPLE TEXT BASED CAPTCHA FOR THE SECURITY IN WEB APPLICATIONS

6.871 Expert System: WDS Web Design Assistant System

EXAMINATION [The sum of points equals to 100]

Hans Joachim Jelena Mirkovic Ivica Milanovic Øyvind Bakkeli

Marketing Performance in Executive perspective on the strategy and effectiveness of marketing

Neural Nets. CSCI 5582, Fall 2007

2016, IJARCSSE All Rights Reserved Page 209

CS 418/518 Web Programming Spring CAPTCHA and Search. Dr. Michele Weigle. Outline ! CAPTCHA. !

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

STEALING PINS VIA MOBILE SENSORS: ACTUAL RISK VERSUS USER PERCEPTION

Salesforce Lightning Dialer

A Novel Approach to Image Segmentation for Traffic Sign Recognition Jon Jay Hack and Sidd Jagadish

Toward Spatial Queries for Spatial Surveillance Tasks

Gait-based Person Identification using Motion Interchange Patterns

IJITKMSpecial Issue (ICFTEM-2014) May 2014 pp (ISSN )

Lecture 19: Generative Adversarial Networks

Explanation A. User Experience Design

Learning Algorithms for Medical Image Analysis. Matteo Santoro slipguru

Integrated Mathematics I Performance Level Descriptors

On Modeling Variations for Face Authentication

ISO/IEC INTERNATIONAL STANDARD

ISTQB Advanced Level (CTAL)

UX Research. research methods overview. UX Research research methods overview. KP Ludwig John

Transcription:

Security and Usability Challenges of Moving-Object CAPTCHAs Decoding Codewords in Motion Yi Xu, Gerardo Reynaga, Sonia Chiasson, Jan-Michael Frahm, Fabian Monrose and Paul Van Oorschot 1

2 CAPTCHAs Application of Turing Test to computer security Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) Sometimes called a Reverse Turing Test or Human Interactive Proof CAPTCHAs come in many flavors (text, audio, cognitive, 2D and 3D image, and now motion-based) 2

3 Applications Free email account registration Prevent automated guessing attacks Prevent mining of pseudo-public files Prevent abuse in online voting polls Restrict access in online social networks, multiplayer games, etc Many more... 3

4 Moving-Image Object Recognition (MIOR) CAPTCHAs 4

5 Moving-Image Object Recognition (MIOR) CAPTCHAs Advantage Ease of use Security risks Provides attacker multiple views of the target Temporal information can be used to enhance attacks Relies on cognitive tasks based on object recognition, instead of object classification 5

6 Our Goals Assess the security and usability of this new class of CAPTCHAs: focus on state-of-the-art MIOR by NuCaptcha contrast with new approach based on Emerging Images by Mitra et al., 2009 Security Analysis: explore various attacks and mitigation strategies Usability Analysis: assess usability of existing MIORs and extensions 6

7 Related Work Security: [Yan et al., 07-11] provide a comprehensive treatment of character and image recognition CAPTCHAs and attacks; Similarly, [Bursztein et al., Soupionis et al.] analyze audio CAPTCHAs Usability: [Kluever et al., Bursztein et al., Yan et al.], study usability of both character and audio CAPTCHAs Recently, [Bursztein, 12] discusses a similar technique on his blog to defeat MIOR CAPTCHAs by NuCaptcha 7

8 Assumptions Movement of rigid objects Codewords have their own trajectories Dynamic background with moderate contrast to foreground Number of characters is known in advance Recently shown to be no longer needed 8

9 Naive attack Extract foreground based on color Equally divide the longest horizontal distance Get raw patches 9

10 Naive attack Recognize the derived patches with standard captcha attack method Success Rate: 36.3% for 3 letters (4000 videos) 10

11 Enhanced Attack ❶ tracking Decoding Process ❷ ❸ foreground extraction ❺ feedback segmentation ❹ classification 11

12 ❶ Optical Flow Tracking Extract corners 12

13 ❶ Optical Flow Tracking Connect the corners to trajectories 13

14 ❷ Foreground Extraction Remove background trajectories Find trajectories of foreground letters Infer trajectories of codeword characters 14

15 ❸ Segmentation Increase the number of salient points Group trajectories of each character 15

16 ❹ Classification patches from different frames Derive patches from each frame Rotate to the correct orientation Classify the representative motif Motif 16

17 ❺ Feedback Repeatedly mask most confident guess and then classify remaining patches Guess: A P T 17

18 Evaluation (NuCaptcha) Training: 300 MIOR videos, 1800 patches Testing 200 MIOR videos across 19 backgrounds Attack Strategy Single Character Accuracy 3-Character Accuracy Naive Approach 68.5% (8216/12000) 36.3% (1450/4000) Without Feedback 90.0% (540/600) 75.5% (151/200) With Feedback 90.3% (542/600) 77.0% (154/200) 18

19 Why does the Enhanced Attack work? Temporal information Reveal the foreground Segmentation Feedback loop Optical flow provides temporal information 19

20 Emerging Images as an Alternative MIOR CAPTCHA A synthesis technique to generate images of 3D objects that are detectable by humans, but difficult for an automatic algorithm to recognize Attempts to thwart both optical flow tracking and any segmentation or recognition procedures We implemented our own instantiation of this concept for 2D objects EMERGING IMAGES Niloy J. Mitra, Hung-Kuo Chu, Tong-Yee Lee, Lior Wolf, Hezy Yeshurun, Daniel Cohen-Or, ACM SIGGRAPH ASIA 2009 20

21 Emerging Images independent frames MIOR CAPTCHA 21

22 Evaluation: Emerging Images We applied our attack to 100 Emerging Image MIOR CAPTCHAs, but none succeeded The current attack fails because: no single frame has enough visual cues to help distinguish the characters from the background the codewords have no temporally consistent appearance 22

23 Evaluation At what point should we consider a CAPTCHA to be fundamentally flawed? 1 in 100 success rate for automated programs? 1 in 10? 1 in 5?... Are there natural extensions to NuCaptcha that could easily mitigate these attacks, without impairing usability? How usable is the Emerging Image approach? 23

24 User Study 25 participants, lab-based, within-subjects experimental design 5 variants tested, ordered based on Latin Square for each variant, parameters in MIOR CAPTCHA were set to match the point where our attacks only succeed 5% of the time 10 random challenges per participant, per variant We analyzed participants solutions, time to solve, errors made, and responses to a questionnaire 24

25 Variants Extended attempt to increase MIOR security by increasing length of codeword Overlapping attempt to thwart segmentation Semi-Transparent attempt to thwart foreground extraction 25

26 User Study: Success rates Extended, Overlapping, and Semi-Transparent had significantly lower success rates compared to Standard No statistically significant difference between Standard and Emerging Standard Extended Overlapping Semi-Trans Emerging 26

27 Time to solve Not surprising, Extended approach took the longest time to solve No statistically significant difference found between Standard, Emerging, Semi-Trans and Overlapping Standard Extended Overlapping Semi-Trans Emerging 27

28 User Perception Perception: Was it easy to accurately solve the challenge? Were the challenges easy to understand? Was this CAPTCHA mechanism pleasant to use? Participants completed a Likert-scale questionnaire to collect their opinion and perception of that variant (1 is most negative, 10 is most positive) 28

29 User Perception Users preferred Standard over other variants, although Extended and Emerging variants were viewed as no more difficult to understand than Standard Accuracy Easy to understand Pleasant to use Comparison of Standard, Extended, Overlapping, Transparent and Emerging variants, respectively 29

30 User comments Variant Standard Comments Much easier than traditional captchas Extended Giant Pain in the Butt! Sheer mass of text was overwhelming and I got lost many times Overlapping Letters too bunched several loops needed to decipher Semi- Transparent With some backgrounds I almost didn t realize there were red letters It was almost faded and very time consuming. I think I made more mistakes in this mechanism Emerging It was hideous! Like an early 2000s website. But it did do the job. 30

31 User Study: Summary The Standard variant perceived as the most usable The Extended variant proved extremely difficult and users voiced strong dislike (and outrage!) The Emerging variant performed almost as well as the Standard approach on certain criteria (e.g., time to solve), and it also resisted our current attacks 31

32 Conclusion Current state-of-the-art MIOR CAPTCHAs does not offer adequate security protections Emerging Images concept offers a viable alternative, per today s attacks 32

33 Conclusion Object Recognition Object Classification 33

34 Conclusion Current state-of-the-art MIOR CAPTCHAs does not offer adequate security protections Emerging Images concept offers a viable alternative, per today s attacks MIORs may focus instead on classification tasks or identification of high-level semantics See http://cs.unc.edu/videocaptchas for more info 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback