Towards Evaluating the Security of Real-World Deployed Image CAPTCHAs

Zhao, Binbin; Weng, Haiqin; Ji, Shouling; Chen, Jianhai; Wang, Ting; He, Qinming; Beyah, Raheem

doi:10.1145/3270101.3270104

Cited by 22 publications

(22 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this work, we conduct a comprehensive security evaluation on FLV using deepfake, which may raise some ethical concerns. Similar to the previous studies about the security of AI-powered systems [33][34][35], we pay special attention to the legal and ethical boundaries. First, we use open-source datasets to conduct deepfake synthesis and security evaluation, which is a legitimate and common practice in face-related security research [29,36].…”

Section: Ethical Considerationmentioning

confidence: 95%

Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era

Li¹,

Wang²,

Ji³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Facial Liveness Verification (FLV) is widely used for identity authentication in many security-sensitive domains and offered as Platform-as-a-Service (PaaS) by leading cloud vendors. Yet, with the rapid advances in synthetic media techniques (e.g., deepfake), the security of FLV is facing unprecedented challenges, about which little is known thus far.To bridge this gap, in this paper, we conduct the first systematic study on the security of FLV in real-world settings. Specifically, we present LiveBugger, a new deepfake-powered attack framework that enables customizable, automated security evaluation of FLV. Leveraging LiveBugger, we perform a comprehensive empirical assessment of representative FLV platforms, leading to a set of interesting findings. For instance, most FLV APIs do not use anti-deepfake detection; even for those with such defenses, their effectiveness is concerning (e.g., it may detect high-quality synthesized videos but fail to detect low-quality ones). We then conduct an in-depth analysis of the factors impacting the attack performance of LiveBugger: a) the bias (e.g., gender or race) in FLV can be exploited to select victims; b) adversarial training makes deepfake more effective to bypass FLV; c) the input quality has a varying influence on different deepfake techniques to bypass FLV. Based on these findings, we propose a customized, two-stage approach that can boost the attack success rate by up to 70%. Further, we run proof-of-concept attacks on several representative applications of FLV (i.e., the clients

show abstract

Section: Ethical Considerationmentioning

confidence: 95%

Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era

Li¹,

Wang²,

Ji³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…In addition, GEETest and Netease [138] ask the users to solve a sliding image-based CAPTCHA similar to Tencent CAPTCHA. In detail, the users need to complete an image by dragging the slider to match two puzzle pieces (one reflecting the missing part of the image, the other the correct position in the image).…”

Section: Behavior-based Captchasmentioning

confidence: 99%

“…Sivakorn et al [115] have successfully attacked both Google and Facebook image-based CAPTCHA with success rates of 70.78% and 83.5%, respectively. In [138], the authors broke the new and the old variation of reCAPTCHA V2 with 79% and 88% success rates, respectively. Furthermore, they broke the Facebook image CAPTCHA and the China Railway CAPTCHA with success rates of 86% and 90%, respectively.…”

Section: Attacks Against Image-based Captchamentioning

confidence: 99%

Gotta CAPTCHA 'Em All: A Survey of Twenty years of the Human-or-Computer Dilemma

Guerar,

Verderame,

Migliardi

et al. 2021

Preprint

View full text Add to dashboard Cite

A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [100]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, etc. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes. CCS Concepts: • Security and privacy → Authentication; Graphical / visual passwords.

show abstract

“…Zhao et al. [28] conducted a systematic study on the security of image CAPTCHAs in the wild. Wang et al.…”

Section: The Exploration In Click‐based Schemesmentioning

confidence: 99%

A deep learning‐based attack on text CAPTCHAs by using object detection techniques

Nian

Wang

Gao

et al. 2021

IET Information Security

View full text Add to dashboard Cite

Text‐based CAPTCHAs have been widely deployed by many popular websites, and many have been attacked. However, most previous cracks were based on classification algorithms that typically rely on a series of preprocessing operations or on many training samples, thus making such attacks complicated and costly. In this study, a simple, generic, fast and end‐to‐end attack based on advanced object detection technologies is introduced. The proposed attack combines a feature extraction module, a character location and recognition module and a coordinate matching module. The experiments show that the attack can break a wide range of real‐world text CAPTCHAs deployed by the 50 most popular websites on http://Alexa.com and that the method achieves a high attack accuracy with only 2000 samples at an attack speed of less than 0.10 s. The attack was also evaluated on four click‐based CAPTCHAs that cannot be attacked in the end‐to‐end manner used by previous attacks, and the results demonstrated that within one step, the proposed approach achieves high success rates on both click‐based CAPTCHAs and schemes based on large‐scale character sets, such as Chinese character sets.

show abstract

Towards Evaluating the Security of Real-World Deployed Image CAPTCHAs

Cited by 22 publications

References 16 publications

Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era

Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era

Gotta CAPTCHA 'Em All: A Survey of Twenty years of the Human-or-Computer Dilemma

A deep learning‐based attack on text CAPTCHAs by using object detection techniques

Contact Info

Product

Resources

About