The art of breaking and designing captchas - RSA … art of breaking and ... Recaptcha 0% 0% Reddit...

Insert presenter logo here on slide master. See hidden slide

4 for directions

Session ID:Session Classification:

Elie BurszteinStanford University

The art of breaking and designing captchas

HT2-402Intermediate

4 for directions 2

3Elie Bursztein (@elie)http://elie.im

World Most-Popular Captchas

Captcha Design Goal

sweet spot

Focus of this talk

How to break and designCAPTCHAs

Based on the analysis of 21 of the most popular schemes

Outline

How to break text captchaHow to break audio captchaHow to make captchas easier for humanWhat’s next ?

Evaluation metrics

AccuracyLearnability

Solving time

4 for directions

How to Break Text-Captchas

Think Lego

Pre-processing: captcha binarizationPre-processing: background removalHow to break a captcha: examplePre-processing: Line detectionPre-processing: Line removalSegmentation: clustering algorithmSegmentation: cluster separationPost-segmentation: inverting rotationRecognition: 3173

Breaker 5 Stages Pipeline

Preprocessing

Segmentation

Post-segmentation

Recognition f a e t e s t

f a s t e s tPost-recognition

Slashdot captcha

From the image to the matrix representation

L1 L2 L3 L4 L5 L6vector

From the matrix representation to the vector representation

vector

DistanceKnown vectors

From the vector representation to the segment value (classification)

Breaker efficiency

Solver accuracy = Coverage * Precision^length

Coverage: Segmentation ratePrecision: Recognition rate

Anti-recognition techniques

Blurring

Distortion

Rotation

Charsets 0123456789

SVM learning rate

KNN learning rate

Anti-recognition taxonomy

Background Confusion

Collapsing

B k d f i21

Breaking World of Warcraft

Breaking Captcha.net

Breaking Wikipedia

Breaking Digg

Breaking Slashdot

Breaking eBay

Failing to break eBay

Breaking Baidu

Segmentation rate

Solving rate

Authorize 84% 66%Baidu 98% 5%Blizzard 75% 70%Captcha.net 96% 73%

CNN 50% 16%Digg 86% 20%eBay 95% 43%Google 0% 0%MegaUpload n/a 93%

NIH 87% 72%Recaptcha 0% 0%Reddit 71% 42%Skyrock 30% 2%Slashdot 52% 35%Wikipedia 57% 25%

Learning rate for real schemes

Building a breaker guidelinesImmediate visual feedbackVisual debuggingAlgorithm independenceExposing algorithm parameters

Decaptcha main interface

Apply design principles

Core design principlesRandomize lengthRandomize character sizeWave the captcha

Use anti-recognition as a means of strengthening captcha securityDon’t use a complex charset

Bad for human (see our research on this)Useless for security

Use collapsing or lines

4 for directions

Designing Better Captchas

Think Lego againDecompose in featuresAnalyze

feature in isolationfeatures interaction

Real vs Generated

Evaluation system

Experiment details

Some of the features tested

Angle of rotation

Collapsing

Character size

Resolution invariant

2D interactions

Length vs Angle interaction

Perception Does Not Match Number

4 for directions

How to Break Audio-Captcha

Audio Captchas

Super secure captcha

CaptchaMaker

Creating Audio Captcha

Noises Voices

Noise intensity (RMS/SNR)

2 9 0 0Microsoft

Authorize

K J 5 H

Sound representation

WAV DFT

Solving an audio captcha

T A R A FR

Dealing with random noiseStatistical learningSupervised learningRLS (Regularized least square) classifier

Semantic noise

Results

Length Coverage Digit Captcha

Authorize 5 100 97 89.2%

Digg 5 100 76 41.4%

eBay 6 85.6 92.5 82.9%

Microsoft 10 80.6 89.6 48.9%

Recaptcha 8 99.9 40.5 1.5%

Yahoo 7 99.1 74.7 45.4%

Recaptcha semantic noise

Confusion matrices

How many captchas do you need ?

Within 3 monthsMake sure you have a strong captcha schemeEnsure that your site is accessible

Within 6 monthsLog your captchas failure rate and monitor themHave a backup captcha scheme in case your scheme is broken

Thank you !

Questions ?

Follow-me !

Thank you

Twitter: @elie

Captcha research: http://elie.im/captcha

The art of breaking and designing captchas - RSA … art of breaking and ... Recaptcha 0% 0% Reddit...

Documents

Transcript of The art of breaking and designing captchas - RSA … art of breaking and ... Recaptcha 0% 0% Reddit...

CDC Models: Breaking up or breaking down?

Breaking the Breaking the Hydro Hydro - - illogical illogical ...

CaseReport Habit Breaking Appliance for Multiple Corrections · Habit Breaking Appliance for Multiple Corrections ... removable habit breaking appliances [15, 16]. Hence, habit breaking

Breaking Free Fear, Part 2 Breaking Free and Brokenness.

Breaking down the walls - PwC · which offered interest through a well-integrated colour scheme, decoration and display also increased engagement.’ 27. Wellbeing ‘Good design

Sustainable development report 2017 - Keltbray · • Bounce Back Breaking Down Barriers Award – Nathan Tate • Considerate Constructor’s Scheme Performance beyond Compliance

Reception Mastery Scheme of Work - · PDF fileReception Mastery Scheme of Work Enjoying mathematics Creating mathematicians Breaking down barriers @GLOWmaths

Paed-Iconoclasm: Breaking the Myths without Breaking Your Patient

Interstellar (adjective): situated or occurring between ...star.edu.af/StarTM/wp-content/uploads/2015/09/Interstellar-No-68.pdf · ber of teachers and students skyrock-eted between

Post-Quantum Cryptography Privacy€¦ · Multivariate Cryptography •Breaking scheme ⇎Solving MQ-Problem-> Not a random instance-> Not NP-hard (there might be easy instances)->

serhidra.comnarrow trench tunnelling primary breaking secondary breaking narrow trench tunnelling primary breaking secondary breaking 1550 11 1800 4 1700 8 1750 5 2050 138 2600 ...

A simple mixing scheme for models that resolve …web.uvic.ca/~jklymak/pdfs/MixingScheme.pdf · A simple mixing scheme for models that resolve breaking internal waves Jody M. Klymak*

Kobe Detail Notebook - PhD Hoops...DIANA TAURASI BREAKING DOWN KLAY THOMPSON 27. BREAKING DOWN STEPH CURRY 28. BREAKING DOWN KYLE LOWRY 29. BREAKING DOWN PASCAL …

Breaking Out or Breaking Down

NEWSLETTER - Rajasthanplan.rajasthan.gov.in/content/dam/planning-portal... · 8. Bhamashah Introduction A path breaking scheme of Financial Inclusion and Women Empowerment, Bhamashah

Breaking In or Breaking Out: Institutions and the ...

Breaking barriers without breaking the bank

Vers un management des `` amis '' sur les réseaux ...€¦ · 1 Vers un management des « amis » sur les réseaux socionumériques ? Usage et appropriation sur Facebook, Skyrock

Developing critical multiliteracies in the primary English ... · Literacy in the Hong Kong primary English Language curriculum Code breaking Text participating PNET scheme: phonics

Breaking news without breaking the infrastructure