Usability of CAPTCHAs Or usability issues in CAPTCHA

Usability of CAPTCHAs Or “usability issues in CAPTCHA design” Jeff Yan School of Computing Science Newcastle University, UK (Joint work with Ahmad Salah El Ahmad)

Apology 2 nd time to miss SOUPS … nth (n > 2) time to be unable to present my paper … o All due to the same problem: o o n A US visit visa! (started my application in April, I’ve not heard its result yet …) SOUPS’ 08 (CMU, July 2008) 2

n SOUPS’ 08 (CMU, July 2008) Does this man look like a terrorist? ! ; -) 3

CAPTCHA o Why was it invented? n n o Automated Turing tests n o Ask any CMU people, or read the cartoon that computers cannot pass, but human can Almost standard security technology (e. g. for antispam) n widespread application on commercial websites SOUPS’ 08 (CMU, July 2008) 4

Main CAPTCHAs o Text-based schemes n n o Sound-based schemes n o typically require users to solve a text recognition task the most widely deployed typically require users to solve a speech recognition task. Image-based schemes n n typically require users to perform an image recognition task Example: Microsoft’s Assira SOUPS’ 08 (CMU, July 2008) 5

This paper is about understanding how to design usable and robust CAPTCHAs, with a focus on usability

o Isn’t that … CAPTCHAs with poor usability should not exist by definition? n n Yes, but … still many deployed CAPTCHAs, including famous ones, are not that usable … SOUPS’ 08 (CMU, July 2008) 7

o How about robustness? n n When necessary, it will be covered However, our major attacks are discussed in somewhere else o o Low-cost attacks on schemes by Microsoft, Yahoo and Google (CCS’ 08, to appear) The pixel count attack (ACSAC’ 07) n Breaking CAPTCHAs by counting the number of pixels! SOUPS’ 08 (CMU, July 2008) 8

A framework for CAPTCHA usability o Distortion n o Content n o distortion techniques employed and their impact on usability. content embedded in CAPTCHA challenges and their impact on usability o e. g. how the content should be organized? Presentation n the way that CAPTCHA challenges are presented and impact on usability. SOUPS’ 08 (CMU, July 2008) 9

Distortion | confusing characters o o Well-known that under common distortions, characters such as 1 and l, o and 0, 5 and s, would cause confusion To be secure (or resistant to segmentation attacks), Google and Yahoo CAPTCHAs introduced new confusing characters n n n vv or w? cl or d? rn or m? SOUPS’ 08 (CMU, July 2008) rm or nn? cm or an? nn or m? … 10

Distortion | confusing characters o ~6% challenges in Google CAPTCHA, and ~10% in the latest Yahoo scheme (rolled out since Mar 2008) were observed to have such confusing characters. SOUPS’ 08 (CMU, July 2008) 11

Content | string length o o A design issue: string length predictable or not? Case study: n Microsoft CAPTCHA used a fixed length of 8 characters, which helped its usability The first object is “ 7”? The first object is “L”? With the length info, users can be pretty sure that the first objects in the above examples are noise. SOUPS’ 08 (CMU, July 2008) 12

Content | string length o However, the length info also helped our automated segmentation attack (success rate: >92%) n Our program knows when to stop! Start point SOUPS’ 08 (CMU, July 2008) Stop: identified 8 chars already 13

Presentation | the use of colour o o Using colour is common practice in CAPTCHA design (for all sorts of reasons) However, we have seen many cases in which the use of colour n n n is unhelpful for usability has caused negative impact on security, or is problematic in terms of both usability and security SOUPS’ 08 (CMU, July 2008) 14

Presentation | the use of colour o Case 1: Gimpy-r (a well-known early scheme) How human see it SOUPS’ 08 (CMU, July 2008) How machines see it 15

Presentation | the use of colour Case 1: Gimpy-r o Dominant colour of distorted text (often black) is distinguishable: n n easy to extract the text colour background: n n SOUPS’ 08 (CMU, July 2008) always the lowest intensity, and never appeared in the background No much use in terms of security negative effect in usability (e. g. confusing people) 16

Presentation | the use of colour o Case 2: Bot. Block How human see it SOUPS’ 08 (CMU, July 2008) How machines see it 17

Presentation | the use of colour Case 2: Bot. Block o o sophisticated colour management providing resistance to OCR However, the misuse of colour: n texts have distinguishable colour patterns o n the same colour foreground occurs repetitively. easy to extract text automatically Negative effect on usability and false sense of security. SOUPS’ 08 (CMU, July 2008) 18

Presentation | the use of colour o It seems that the “Las Vegas effect” also applies to CAPTCHA design n o No colour might be better than too much colour Major CAPTCHAs started to avoid using fancy colour management, including n n Microsoft Yahoo Google re. CAPTCHA SOUPS’ 08 (CMU, July 2008) 19

The framework: applied to text CAPTCHAs Category Usability issue Distortion method and level Distortion Confusing characters Friendly to foreigners? Character set Content String length How long? Predictable or not? Random string or dictionary word? Offensive word Font type and size Presentation Image size Use of color Integration with web pages SOUPS’ 08 (CMU, July 2008) 20

The framework o o Inspired by text-based CAPTCHAs Applicable to sound-based schemes n o Details see our paper also applicable to image-based schemes (e. g. IMAGINATION) n for schemes such as Assira and Bongo, in which distortion is absent, only the dimensions of content and presentation will apply. SOUPS’ 08 (CMU, July 2008) 21

Summary o o First attempt towards a systematic analysis of usability issues in CAPTCHA design (in particular, text-based schemes) Proposed a simple but novel framework, which accommodates both n n o novel issues we have identified, and known issues scattered in the literature The framework is applicable to text, sound and (some) image based CAPTCHAs. SOUPS’ 08 (CMU, July 2008) 22