survey

Gotta CAPTCHA ’Em All: A Survey of 20 Years of the Human-or-computer Dilemma

Authors:

Luca Verderame,

Mauro Migliardi,

Francesco Palmieri,

Alessio MerloAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 54, Issue 9

Article No.: 192, Pages 1 - 33

https://doi.org/10.1145/3477142

Published: 08 October 2021 Publication History

Abstract

A recent study has found that malicious bots generated nearly a quarter of overall website traffic in 2019 [102]. These malicious bots perform activities such as price and content scraping, account creation and takeover, credit card fraud, denial of service, and so on. Thus, they represent a serious threat to all businesses in general, but are especially troublesome for e-commerce, travel, and financial services. One of the most common defense mechanisms against bots abusing online services is the introduction of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), so it is extremely important to understand which CAPTCHA schemes have been designed and their actual effectiveness against the ever-evolving bots. To this end, this work provides an overview of the current state-of-the-art in the field of CAPTCHA schemes and defines a new classification that includes all the emerging schemes. In addition, for each identified CAPTCHA category, the most successful attack methods are summarized by also describing how CAPTCHA schemes evolved to resist bot attacks, and discussing the limitations of different CAPTCHA schemes from the security, usability, and compatibility point of view. Finally, an assessment of the open issues, challenges, and opportunities for further study is provided, paving the road toward the design of the next-generation secure and user-friendly CAPTCHA schemes.

References

[1]

josscrowcroft.com. 2011. MotionCAPTCHA v0.2, Stop Spam, Draw Shapes. Retrieved from http://www.josscrowcroft.com/demos/motioncaptcha/.

[2]

E. Ababtain and D. Engels. 2019. Gestures based CAPTCHAs the use of sensor readings to solve CAPTCHA challenge on Smartphones. In International Conference on Computational Science and Computational Intelligence (CSCI’19). 113–119.

[3]

Alejandro Acien, Aythami Morales, Julian Fiérrez, and Rubén Vera-Rodriguez. 2020. BeCAPTCHA-Mouse: Synthetic mouse trajectories and improved bot detection. ArXiv abs/2005.00890 (2020).

[4]

Alejandro Acien, Aythami Morales, Julian Fierrez, Ruben Vera-Rodriguez, and Ivan Bartolome. 2020. Be-CAPTCHA: Detecting human behavior in smartphone interaction using multiple inbuilt sensors. In AAAI Workshop on Artificial for Cyber Security (AICS’20).

[5]

Ismail Akrout, Amal Feriani, and Mohamed Akrout. 2019. Hacking Google reCAPTCHA v3 using reinforcement learning. ArXiv abs/1903.01003 (2019).

[6]

Henry S. Baird and Jon L. Bentley. 2005. Implicit CAPTCHAs. In Document Recognition and Retrieval XII, Elisa H. Barney Smith and Kazem Taghva (Eds.), Vol. 5676. International Society for Optics and Photonics, SPIE, 191–196.

[7]

M. Tariq Banday and Nisar A. Shah. 2011. A study of CAPTCHAs for securing web services. arXiv preprint arXiv:1112.5605 (2011).

[8]

Jeffrey P. Bigham and Anna C. Cavender. 2009. Evaluating existing audio CAPTCHAs and an interface optimized for non-visual use. In SIGCHI Conference on Human Factors in Computing Systems (CHI’09). Association for Computing Machinery, New York, NY, 1829–1838.

[9]

Kevin Bock, Daven Patel, George Hughey, and Dave Levin. 2017. UnCaptcha: A low-resource defeat of Recaptcha’s audio challenge. In 11th USENIX Conference on Offensive Technologies (WOOT’17). USENIX Association, 7.

[10]

Brave. 2019. zkSENSE: A privacy-preserving mechanism for bot detection in mobile devices. Retrieved from https://brave.com/zksense-a-privacy-preserving-mechanism-for-bot-detection-in-mobile-devices/.

[11]

Darko Brodić and Alessia Amelio. 2020. Types of CAPTCHA. Springer International Publishing, Cham, 29–32.

[12]

Darko Brodic and Alessia Amelio. 2019. Exploring the usability of the text-based CAPTCHA on tablet computers. Connect. Sci. 31, 4 (2019), 430–444.

[13]

Elie Bursztein. 2012. How we broke the NuCaptcha video scheme and what we propose to fix it. Retrieved from https://elie.net/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it/.

[14]

E. Bursztein, R. Beauxis, H. Paskov, D. Perito, C. Fabry, and J. Mitchell. 2011. The failure of noise-based non-continuous audio Captchas. In IEEE Symposium on Security and Privacy. 19–31.

[15]

Elie Bursztein and Steven Bethard. 2009. Decaptcha: Breaking 75% of eBay audio CAPTCHAs. In 3rd USENIX Conference on Offensive Technologies. USENIX Association.

[16]

Elie Bursztein, Matthieu Martin, and John Mitchell. 2011. Text-based CAPTCHA strengths and weaknesses. In 18th ACM Conference on Computer and Communications Security (CCS’11). Association for Computing Machinery, New York, NY, 125–138.

Digital Library

[17]

Capy Inc.2018. Capy Puzzle CAPTCHA. Retrieved from https://www.capy.me/products/puzzle_captcha/.

[18]

Kumar Chellapilla, Kevin Larson, Patrice Simard, and Mary Czerwinski. 2005. Computers beat humans at single character recognition in reading based human interaction proofs (HIPs). In 2nd Conference on Email and Anti-Spam.

[19]

Kumar Chellapilla, Kevin Larson, Patrice Y. Simard, and Mary Czerwinski. 2005. Building segmentation based human-friendly human interaction proofs (HIPs). In Human Interactive Proofs, Henry S. Baird and Daniel P. Lopresti (Eds.). Springer Berlin, 1–26.

[20]

Kumar Chellapilla and Patrice Y. Simard. 2004. Using machine learning to break visual human interaction proofs (HIPs). In 17th International Conference on Neural Information Processing Systems (NIPS’04). The MIT Press, Cambridge, MA, 265–272.

[21]

J. Chen, Xiangyang Luo, Yanqing Guo, Y. Zhang, and Daofu Gong. 2017. A survey on breaking technique of text-based CAPTCHA. Secur. Commun. Netw. 2017 (2017), 6898617:1–6898617:15.

[22]

B. Cheung. 2012. Convolutional neural networks applied to human face classification. In 11th International Conference on Machine Learning and Applications. 580–583.

Digital Library

[23]

Monica Chew and Henry S. Baird. 2003. BaffleText: a human interactive proof. In Document Recognition and Retrieval X, Tapas Kanungo, Elisa H. Barney Smith, Jianying Hu, and Paul B. Kantor (Eds.), Vol. 5010. International Society for Optics and Photonics, SPIE, 305–316.

[24]

Monica Chew and J. D. Tygar. 2004. Image recognition CAPTCHAs. In Information Security, Kan Zhang and Yuliang Zheng (Eds.). Springer Berlin, 268–279.

[25]

Richard Chow, Philippe Golle, Markus Jakobsson, Lusha Wang, and XiaoFeng Wang. 2008. Making CAPTCHAs clickable. In 9th Workshop on Mobile Computing Systems and Applications (HotMobile’08). Association for Computing Machinery, New York, NY, 91–94.

Digital Library

[26]

Yang-Wai Chow, Willy Susilo, and Pairat Thorncharoensri. 2019. CAPTCHA Design and Security Issues. Springer Singapore, 69–92.

[27]

Mauro Conti, Claudio Guarisco, and Riccardo Spolaor. 2016. CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery. In Applied Cryptography and Network Security, Mark Manulis, Ahmad-Reza Sadeghi, and Steve Schneider (Eds.). Springer International Publishing, Cham, 611–628.

[28]

J. Cui, J. Mei, X. Wang, D. Zhang, and W. Zhang. 2009. A CAPTCHA implementation based on 3D animation. In International Conference on Multimedia Information Networking and Security. 179–182.

[29]

Corey Cummings. 2012. PlayThru: A Gaming Alternative to CAPTCHA Bot Checks. Retrieved from https://techli.com/playthru-captcha-alternative/30109/.

[30]

dice-captcha.com. 2010. Dice CAPTCHA. Retrieved from http://dice-captcha.com/demo-dice-captcha.php.

[31]

Dracon Projects. 2006. Dracon Visual Flash CAPTCHA. Retrieved from https://www.dracon.biz/captcha.php.

[32]

drdre1. 2016. Sweet CAPTCHA solver. Retrieved from https://github.com/drdre1/Adultddl-Sweet-Captcha-Solver.

[33]

D. D’Souza, P. C. Polina, and R. V. Yampolskiy. 2012. Avatar CAPTCHA: Telling computers and humans apart via face classification. In IEEE International Conference on Electro/Information Technology. 1–6.

[34]

Ahmad Salah El Ahmad, Jeff Yan, and Lindsay Marshall. 2010. The robustness of a new CAPTCHA. In 3rd European Workshop on System Security (EUROSEC’10). Association for Computing Machinery, New York, NY, 36–41.

Digital Library

[35]

Jeremy Elson, John R Douceur, Jon Howell, and Jared Saul. 2007. Asirra: A CAPTCHA that exploits interest-aligned manual image categorization. In 14th ACM Conference on Computer and Communications Security (CCS’07). Association for Computing Machinery, New York, NY, 366–374.

[36]

Yunhe Feng, Qing Cao, Hairong Qi, and Scott Ruoti. 2020. SenCAPTCHA: A mobile-first CAPTCHA using orientation sensors. In ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies Conference. 1–26.

[37]

Diogo Daniel Ferreira, Luís Leira, Petya Mihaylova, and Petia Georgieva. 2019. Breaking text-based CAPTCHA with sparse convolutional neural networks. In Pattern Recognition and Image Analysis, Aythami Morales, Julian Fierrez, José Salvador Sánchez, and Bernardete Ribeiro (Eds.). Springer International Publishing, Cham, 404–415.

[38]

I. Fischer and T. Herfet. 2006. Visual CAPTCHAs for document authentication. In IEEE Workshop on Multimedia Signal Processing. 471–474.

[39]

Brandon Z. Frank and Joseph A. Latone. 2018. Verifying a user utilizing gyroscopic movement. Retrieved from http://www.freepatentsonline.com/9942768.html. Patent 9942768.

[40]

Christoph Fritsch, Michael Netter, Andreas Reisser, and Günther Pernul. 2010. Attacking image recognition Captchas. In Trust, Privacy and Security in Digital Business, Sokratis Katsikas, Javier Lopez, and Miguel Soriano (Eds.). Springer Berlin, 13–25.

[41]

H. Gao, L. Lei, X. Zhou, J. Li, and X. Liu. 2015. The robustness of face-based CAPTCHAs. In IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing. 2248–2255.

[42]

Haichang Gao, Wei Wang, Jiao Qi, Xuqin Wang, Xiyang Liu, and Jeff Yan. 2013. The robustness of hollow CAPTCHAs. In ACM SIGSAC Conference on Computer & Communications Security (CCS’13). Association for Computing Machinery, New York, NY, 1075–1086.

Digital Library

[43]

H. Gao, J. Yan, Fang Cao, Zhengya Zhang, Lei Lei, Mengyun Tang, P. Zhang, X. Zhou, Xuqin Wang, and J. Li. 2016. A simple generic attack on text captchas. In Network and Distributed System Security Symposium.

[44]

H. Gao, D. Yao, H. Liu, X. Liu, and L. Wang. 2010. A novel image based CAPTCHA using jigsaw puzzle. In 13th IEEE International Conference on Computational Science and Engineering. 351–356.

[45]

Philippe Golle. 2008. Machine learning attacks against the Asirra CAPTCHA. In 15th ACM Conference on Computer and Communications Security (CCS’08). Association for Computing Machinery, New York, NY, 535–542.

Digital Library

[46]

Ian J. Goodfellow, Yaroslav Bulatov, Julian Ibarz, Sacha Arnoud, and Vinay D. Shet. 2014. Multi-digit number recognition from street view imagery using deep convolutional neural networks. CoRR abs/1312.6082 (2014).

[47]

Google. [n.d.]. Choosing the type of reCAPTCHA. Retrieved on 25 August, 2021 from https://developers.google.com/recaptcha/docs/versions.

[48]

Rich Gossweiler, Maryam Kamvar, and Shumeet Baluja. 2009. What’s up CAPTCHA? A CAPTCHA based on image orientation. In 18th International Conference on World Wide Web (WWW’09). Association for Computing Machinery, New York, NY, 841–850.

[49]

Gaurav Goswami, Brian Powell, Mayank Vatsa, Richa Singh, and Afzel Noore. 2014. FaceDCAPTCHA: Face detection based color image CAPTCHA. Fut. Gen. Comput. Syst.ems 31 (2014), 59–68.

Digital Library

[50]

Gaurav Goswami, Brian M. Powell, Mayank Vatsa, Richa Singh, and Afzel Noore. 2014. FR-CAPTCHA: CAPTCHA based on recognizing human faces. PLoS ONE 9 (2014).

[51]

Thomas Gougeon and Patrick Lacharme. 2018. How to break CAPTSHaStar. In International Conference on Information Systems Security and Privacy.

[52]

Meriem Guerar, Alessio Merlo, and Mauro Migliardi. 2018. Completely automated public physical test to tell computers and humans apart: A usability study on mobile devices. Fut. Gen. Comput. Syst. 82 (2018), 617–630.

[53]

Meriem Guerar, Alessio Merlo, Mauro Migliardi, and Francesco Palmieri. 2018. Invisible CAPPCHA: A usable mechanism to distinguish between malware and humans on the mobile IoT. Comput. Secur. 78 (2018), 255–266.

[54]

M. Guerar, M. Migliardi, A. Merlo, M. Benmohammed, and B. Messabih. 2015. A completely automatic public physical test to tell computers and humans apart: A way to enhance authentication schemes in mobile devices. In International Conference on High Performance Computing Simulation (HPCS’15). 203–210.

[55]

M. Guerar, M. Migliardi, A. Merlo, M. Benmohammed, F. Palmieri, and A. Castiglione. 2018. Using screen brightness to improve security in mobile social network access. IEEE Trans. Depend. Sec. Comput. 15, 4 (2018), 621–632.

[56]

Meriem Guerar, Mauro Migliardi, Francesco Palmieri, Luca Verderame, and Alessio Merlo. 2020. Securing PIN-based authentication in smartwatches with just two gestures. Concurr. Comput.: Pract. Exper. 32, 18 (2020), e5549.

[57]

Meriem Guerar, Benmohammed Mohamed, and Vincent Alimi. 2016. Color wheel pin: Usable and resilient ATM authentication. J. High Speed Netw. 22 (06 2016), 231–240.

[58]

Meriem Guerar, Luca Verderame, Alessio Merlo, Francesco Palmieri, Mauro Migliardi, and Luca Vallerini. 2020. CirclePIN: A novel authentication mechanism for smartwatches to prevent unauthorized access to IoT devices. ACM Trans. Cyber-Phys. Syst. 4, 3 (Mar. 2020).

Digital Library

[59]

M. Guerar, L. Verderame, M. Migliardi, and A. Merlo. 2019. 2GesturePIN: Securing PIN-Based authentication on smartwatches. In IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE’19). 327–333.

[60]

F. A. B. Hamid Ali and F. B. Karim. 2014. Development of CAPTCHA system based on puzzle. In International Conference on Computer, Communications, and Control Technology (I4CT’14). 426–428.

[61]

Carlos Javier Hernandez-Castro and Arturo Ribagorda. 2010. Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study. Comput. Secur. 29, 1 (2010), 141–157.

Digital Library

[62]

C. J. Hernandez-Castro, A. Ribagorda, and Y. Saez. 2010. Side-channel attack on the HumanAuth CAPTCHA. In International Conference on Security and Cryptography (SECRYPT’10). 1–7.

[63]

Carlos Javier Hernández-Castro, Shujun Li, and María D. R-Moreno. 2020. All about uncertainties and traps: Statistical oracle-based attacks on a new CAPTCHA protection against oracle attacks. Comput. Secur. 92 (2020), 101758.

[64]

C. J. Hernández-Castro, M. D. R-Moreno, and D. F. Barrero. 2015. Using JPEG to measure image continuity and break capy and other puzzle CAPTCHAs. IEEE Internet Comput. 19, 6 (2015), 46–53.

Digital Library

[65]

D. Hitaj, B. Hitaj, S. Jajodia, and L. V. Mancini. 2020. Capture the bot: Using adversarial examples to improve CAPTCHA robustness to bot attacks. IEEE Intell. Syst. (2020), 1–1.

[66]

Thomas Hupperich, Katharina Krombholz, and Thorsten Holz. 2016. Sensor Captchas: On the usability of instrumenting hardware sensors to prove liveliness. In Trust and Trustworthy Computing, Michael Franz and Panos Papadimitratos (Eds.). Springer International Publishing, Cham, 40–59.

[67]

Imperva. 2020. 2020 Bad Bot Report. Retrieved from https://www.imperva.com/resources/reports/Imperva_BadBot_Report_V2.0.pdf.

[68]

M. Imsamai and S. Phimoltares. 2010. 3D CAPTCHA: A next generation of the CAPTCHA. In International Conference on Information Science and Applications. 1–8.

[69]

J. W. Andrews. 2013. Breaking the MintEye image CAPTCHA in 23 lines of Python. Retrieved from http://www.jwandrews.co.uk/2013/01/breaking-the-minteye-image-captcha-in-23-lines-of-python/.

[70]

Mohit Jain, Rohun Tripathi, Ishita Bhansali, and Pratyush Kumar. 2019. Automatic generation and evaluation of usable and secure audio ReCAPTCHA. In 21st International ACM SIGACCESS Conference on Computers and Accessibility (ASSETS’19). Association for Computing Machinery, New York, NY, 355–366.

Digital Library

[71]

KeyCAPTCHA Inc.2010. KeyCAPTCHA. Retrieved from https://www.keycaptcha.com/.

[72]

Suzi Kim and Sunghee Choi. 2019. DotCHA: A 3D text-based scatter-type CAPTCHA. In Web Engineering, Maxim Bakaev, Flavius Frasincar, and In-Young Ko (Eds.). Springer International Publishing, Cham, 238–252.

[73]

Kurt Alfred Kluever and Richard Zanibbi. 2009. Balancing usability and security in a video CAPTCHA. In 5th Symposium on Usable Privacy and Security (SOUPS’09). Association for Computing Machinery, New York, NY.

Digital Library

[74]

S. Kulkarni and H. S. Fadewar. 2017. Pedometric CAPTCHA for mobile Internet users. In 2nd IEEE International Conference on Recent Trends in Electronics, Information Communication Technology (RTEICT’17). 600–604.

[75]

Ching-Jung Liao, Chang-Ju Yang, Jin-Tan Yang, Hsiang-Yang Hsu, and Jhih-Wei Liu. 2013. A game and accelerometer-based CAPTCHA scheme for mobile learning system. In Proceedings of EdMedia + Innovate Learning 2013, Jan Herrington, Alec Couros, and Valerie Irvine (Eds.). Association for the Advancement of Computing in Education (AACE), Victoria, Canada, 1385–1390. Retrieved from https://www.learntechlib.org/p/112139.

[76]

Mark D. Lillibridge, Martin Abadi, Krishna Bharat, and Andrei Broder. 2001. Method for selectively restricting access to computer systems. Retrieved from http://www.freepatentsonline.com/6195698.html. Patent 6195698.

[77]

Rosa Lin, Shih-Yu Huang, Graeme B. Bell, and Yeuan-Kuen Lee. 2011. A new CAPTCHA interface design for mobile devices. In 12th Australasian User Interface Conference (AUIC’11). Australian Computer Society, Inc., AUS, 3–8.

[78]

Viraj C. Mantri and Prateek Mehrotra. 2018. User authentication based on physical movement information. Retrieved from http://www.freepatentsonline.com/9864854.html. Patent 9864854.

[79]

Sergi Isasi Matthew Prince. 2020. Moving from reCAPTCHA to hCaptcha. Retrieved from https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/.

[80]

Manar Mohamed, Niharika Sachdeva, Michael Georgescu, Song Gao, Nitesh Saxena, Chengcui Zhang, Ponnurangam Kumaraguru, Paul C. van Oorschot, and Wei-Bang Chen. 2014. A three-way investigation of a game-CAPTCHA: Automated attacks, relay attacks and usability. In 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS’14). Association for Computing Machinery, New York, NY, 195–206.

Digital Library

[81]

Manar Mohamed and Nitesh Saxena. 2016. Gametrics: Towards attack-resilient behavioral authentication with simple cognitive games. 32nd Annual Conference on Computer Security Applications.

Digital Library

[82]

M. Mohamed, B. Shrestha, and N. Saxena. 2017. SMASheD: Sniffing and manipulating Android sensor data for offensive purposes. IEEE Trans. Inf. Forens. Secur. 12, 4 (2017), 901–913.

[83]

G. Mori and J. Malik. 2003. Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[84]

G. Moy, N. Jones, C. Harkless, and R. Potter. 2004. Distortion estimation techniques in solving visual CAPTCHAs. In IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[85]

Dongbin Na, Namgyu Park, Sangwoo Ji, and Jong Kim. 2020. CAPTCHAs are still in danger: An efficient scheme to bypass adversarial CAPTCHAs. In Information Security Applications, Ilsun You (Ed.). Springer International Publishing, Cham, 31–44.

[86]

Rabih Al Nachar, Elie Inaty, Patrick J. Bonnin, and Yasser Alayli. 2015. Breaking down Captcha using edge corners and fuzzy logic segmentation/recognition technique. Secur. Commun. Netw. 8, 18 (2015), 3995–4012.

Digital Library

[87]

Moni Naor. 1996. Verification of a human in the loop or identification via the Turing test. Retrieved from http://www.wisdom.weizmann.ac.il/~naor/PAPERS/humanabs.html.

[88]

Anja B. Naumann, Thomas Franke, and Christian Bauckhage. 2009. Investigating CAPTCHAs based on visual phenomena. In Human-Computer Interaction–INTERACT 2009, Tom Gross, Jan Gulliksen, Paula Kotzé, Lars Oestreicher, Philippe Palanque, Raquel Oliveira Prates, and Marco Winckler (Eds.). Springer Berlin, 745–748.

Digital Library

[89]

Neo. 2006. Blog post, [HumanAuth] Verification code for natural patterns. Retrieved from http://www.neo.com.tw/archives/965.

[90]

Vu Duc Nguyen, Yang-Wai Chow, and Willy Susilo. 2012. Attacking animated CAPTCHAs via character extraction. In Cryptology and Network Security, Josef Pieprzyk, Ahmad-Reza Sadeghi, and Mark Manulis (Eds.). Springer Berlin, 98–113.

[91]

Vu Duc Nguyen, Yang-Wai Chow, and Willy Susilo. 2012. Breaking a 3D-based CAPTCHA scheme. In Conference on Information Security and Cryptology, Howon Kim (Ed.). Springer Berlin, 391–405.

Digital Library

[92]

Vu Duc Nguyen, Yang-Wai Chow, and Willy Susilo. 2012. Breaking an Animated CAPTCHA Scheme. In Applied Cryptography and Network Security, Feng Bao, Pierangela Samarati, and Jianying Zhou (Eds.). Springer Berlin, 12–29.

[93]

Vu Duc Nguyen, Yang-Wai Chow, and Willy Susilo. 2014. On the security of text-based 3D CAPTCHAs. Comput. Secur. 45 (2014), 84–99.

Digital Library

[94]

NuCaptcha Inc.2018. NuCaptcha. Retrieved from https://www.nucaptcha.com.

[95]

OCR Research Team. 2006. Teabag 3D evolution. Retrieved from https://ocr-research.org.ua/teabag.html.

[96]

Marek R. Ogiela, Natalia Krzyworzeka, and Lidia Ogiela. 2018. Application of knowledge-based cognitive CAPTCHA in Cloud of Things security. Concurr. Comput.: Pract. Exper. 30, 21 (2018), e4769.

[97]

M. Okada and S. Matsuyama. 2012. New CAPTCHA for smartphones and tablet PC. In IEEE Consumer Communications and Networking Conference (CCNC’12). 34–35.

[98]

M. Osadchy, J. Hernandez-Castro, S. Gibson, O. Dunkelman, and D. Pérez-Cabo. 2017. No bot expects the DeepCAPTCHA! introducing immutable adversarial examples, with applications to CAPTCHA generation. IEEE Trans. Inf. Forens. Secur. 12, 11 (2017), 2640–2653.

Digital Library

[99]

Nancy Owano. 2012. Phys.org Blog post, Minteye offers no-type CAPTCHA as a security twist. Retrieved from https://phys.org/news/2012-12-minteye-no-type-captcha.html.

[100]

Stefan Popoveniuc. 2010. SpeakUp: remote unsupervised voting. In Industrial Track Applied Cryptography and Network Security.

[101]

Program Product. 2010. HelloCAPTCHA. Retrieved from http://www.hellocaptcha.com/.

[102]

Radware. 2020. The Big Bad Bot Problem 2020. Retrieved on 25 august, 2021 from https://blog.radware.com/wp-content/uploads/2020/03/Radware_Bot_Manager_The_Big_Bad_Bot_Problem_2020_Report.pdf.

[103]

Steven Rees-Pullman. 2020. Is credential stuffing the new phishing?Comput. Fraud Secur. 2020, 7 (2020), 16–19.

[104]

Narges Roshanbin and James Miller. 2013. A survey and analysis of current CAPTCHA approaches. J. Web Eng. 12, 1–2 (Feb. 2013), 1–40.

Digital Library

[105]

C. Rui, Y. Jing, H. Rong-gui, and H. Shu-guang. 2013. A novel LSTM-RNN decoding algorithm in CAPTCHA recognition. In 3rd International Conference on Instrumentation, Measurement, Computer, Communication and Control. 766–771.

[106]

A. Rusu and V. Govindaraju. 2004. Handwritten CAPTCHA: Using the difference in the abilities of humans and machines in reading handwritten words. In 9th International Workshop on Frontiers in Handwriting Recognition. 226–231.

Digital Library

[107]

Amalia Rusu and Venu Govindaraju. 2005. Visual CAPTCHA with handwritten image analysis. In Human Interactive Proofs, Henry S. Baird and Daniel P. Lopresti (Eds.). Springer Berlin, 42–52.

[108]

Shotaro Sano, Takuma Otsuka, and Hiroshi G. Okuno. 2013. Solving Google’s continuous audio CAPTCHA with HMM-Based automatic speech recognition. In Advances in Information and Computer Security, Kazuo Sakiyama and Masayuki Terada (Eds.). Springer Berlin, 36–52.

[109]

Graig Sauer, Jonathan Holman, Jonathan Lazar, Harry Hochheiser, and Jinjuan Feng. 2010. Accessible privacy and security: A universally usable human-interaction proof tool. Univers. Access Inf. Soc. 9, 3 (Aug. 2010), 239–248.

[110]

Katharine Schwab. 2019. Google’s new reCAPTCHA has a dark side. Retrieved from https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side.

[111]

Vinay Shet. 2014. Are you a robot? Introducing “No CAPTCHA reCAPTCHA.” Retrieved from https://security.googleblog.com/2014/12/are-you-robot-introducing-no-captcha.html.

[112]

Chenghui Shi, Xiaogang Xu, Shouling Ji, Kai Bu, Jianhai Chen, Raheem Beyah, and Ting Wang. 2019. Adversarial CAPTCHAs. arXiv preprint arXiv:1901.01107 (2019).

[113]

M. Shirali-Shahreza and S. Shirali-Shahreza. 2006. Drawing CAPTCHA. In 28th International Conference on Information Technology Interfaces.475–480.

[114]

M. Shirali-Shahreza and S. Shirali-Shahreza. 2008. Motion CAPTCHA. In Conference on Human System Interactions. 1042–1044.

[115]

Ved Prakash Singh and Preet Pal. 2014. Survey of different types of CAPTCHA. Int. J. Comput. Sci. Inf. Technol. 5, 2 (2014), 2242–2245.

[116]

A. Siripitakchai, S. Phimoltares, and A. Mahaweerawat. 2017. EYE-CAPTCHA: An enhanced CAPTCHA using eye movement. In 3rd IEEE International Conference on Computer and Communications (ICCC’17). 2120–2126.

[117]

Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis. 2016. I’m not a human : Breaking the Google reCAPTCHA. In BlackHat Conference.

[118]

Oleg Starostenko, Claudia Cruz-Perez, Fernando Uceda-Ponga, and Vicente Alarcon-Aquino. 2015. Breaking text-based CAPTCHAs with variable word and character orientation. Pattern Recog. 48, 4 (2015), 1101–1112.

Digital Library

[119]

Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In 2nd International Conference on Learning Representations, Yoshua Bengio and Yann LeCun (Eds.). http://arxiv.org/abs/1312.6199.

[120]

Jennifer Tam, Sean Hyde, Jiri Simsa, and Luis Von Ahn. 2008. Breaking audio CAPTCHAs. In 21st International Conference on Neural Information Processing Systems (NIPS’08). Curran Associates Inc., Red Hook, NY, 1625–1632.

Digital Library

[121]

M. Tang, H. Gao, Y. Zhang, Y. Liu, P. Zhang, and P. Wang. 2018. Research on deep learning techniques in breaking text-based Captchas and designing image-based Captcha. IEEE Trans. Inf. Forens. Secur. 13, 10 (2018), 2522–2537.

[122]

V. A. Thomas and K. Kaur. 2013. Cursor CAPTCHA—Implementing CAPTCHA using mouse cursor. In 10th International Conference on Wireless and Optical Communications Networks (WOCN’13). 1–5.

[123]

Erkam Uzun, Simon Pak Ho Chung, Irfan Essa, and Wenke Lee. 2018. rtCaptcha: A real-time CAPTCHA based liveness detection system. In Network and Distributed System Security Symposium.

[124]

Shardul Vikram, Yinan Fan, and Guofei Gu. 2011. SEMAGE: A new image-based two-factor CAPTCHA. In 27th Annual Computer Security Applications Conference (ACSAC’11). Association for Computing Machinery, New York, NY, 237–246.

Digital Library

[125]

Filip Vitas. 2019. How to bypass “slider CAPTCHA” with JS and Puppeteer. Retrieved from https://medium.com/@filipvitas/how-to-bypass-slider-captcha-with-js-and-puppeteer-cd5e28105e3c.

[126]

Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford. 2000. CAPTCHA: Telling Humans and Computers Apart Automatically. Retrieved from http://www.captcha.net/.

[127]

Luis Von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford. 2003. CAPTCHA: Using hard AI problems for security. In International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 294–311.

[128]

Luis von Ahn, Benjamin Maurer, Colin McMillen, David Abraham, and Manuel Blum. 2008. reCAPTCHA: Human-based character recognition via web security measures. Science 321, 5895 (2008), 1465–1468.

[129]

Luis von Ahn, Manuel Blum, Nick Hopper, John Langford, and Udi Manber. 2000. GIMPY. Retrieved from http://www.captcha.net/captchas/gimpy/.

[130]

P. Wang, H. Gao, Z. Shi, Z. Yuan, and J. Hu. 2020. Simple and easy: Transfer learning-based attacks to text CAPTCHA. IEEE Access 8 (2020), 59044–59058.

[131]

Michael L. Wells. 2003. Exciting Features in Super CAPTCHA. Retrieved from https://goldsborowebdevelopment.com/2013/06/exciting-features-in-super-captcha/.

[132]

Wordpress.org. 2013. Garb CAPTCHA. Retrieved from https://wordpress.org/plugins/captcha-garb/.

[133]

Luke Wroblewski. 2010. A Sliding Alternative to CAPTCHA? Retrieved from https://www.lukew.com/ff/entry.asp?1138.

[134]

Xin Xu, Lei Liu, and Bo Li. 2020. A survey of CAPTCHA technologies to distinguish between human and computer. Neurocomputing (2020).

[135]

Y. Xu, G. Reynaga, S. Chiasson, J. Frahm, F. Monrose, and P. C. van Oorschot. 2014. Security analysis and related usability of motion-based CAPTCHAs: Decoding codewords in motion. IEEE Trans. Depend. Sec. Comput. 11, 5 (2014), 480–493.

[136]

Jeff Yan and Ahmad Salah El Ahmad. 2008. Is Cheap Labour Behind the scene? - Low-cost Automated Attacks on Yahoo CAPTCHAs. Technical Report. School of Computing Science, Newcastle University, England.

[137]

Jeff Yan and Ahmad Salah El Ahmad. 2008. A low-cost attack on a Microsoft Captcha. In 15th ACM Conference on Computer and Communications Security (CCS’08). Association for Computing Machinery, New York, NY, 543–554.

Digital Library

[138]

Tzu-I Yang, Chorng-Shiuh Koong, and Chien-Chao Tseng. 2013. Game-based image semantic CAPTCHA on handset devices. Multimedia Tools Applic. 74 (2013), 5141–5156.

Digital Library

[139]

C. N. Yuan, and Jingxia Chongqing. 2018. Variation Analysis-Based Public Turing Test to Tell Computers and Humans Apart. Retrieved from http://www.freepatentsonline.com/y2018/0253542.html.

[140]

Y. Zhang, H. Gao, G. Pei, S. Luo, G. Chang, and N. Cheng. 2019. A survey of research on CAPTCHA designing and breaking techniques. In 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE’19). 75–84.

[141]

Binbin Zhao, Haiqin Weng, Shouling Ji, Jianhai Chen, Ting Wang, Qinming He, and Reheem Beyah. 2018. Towards evaluating the security of real-world deployed image CAPTCHAs. In 11th ACM Workshop on Artificial Intelligence and Security (AISec’18). Association for Computing Machinery, New York, NY, 85–96.

Digital Library

[142]

Y. Zi, H. Gao, Z. Cheng, and Y. Liu. 2020. An end-to-end attack on text CAPTCHAs. IEEE Trans. Inf. Forens. Secur. 15 (2020), 753–766.

Digital Library

Cited By

Rodriguez COppenheimer D(2024)Creating a Bot-tleneck for malicious AI: Psychological methods for bot detectionBehavior Research Methods10.3758/s13428-024-02357-956:6(6258-6275)Online publication date: 1-Apr-2024
https://doi.org/10.3758/s13428-024-02357-9
Wan XJohari JRuslan F(2024)Variational Color Shift and Auto-Encoder Based on Large Separable Kernel Attention for Enhanced Text CAPTCHA Vulnerability AssessmentInformation10.3390/info1511071715:11(717)Online publication date: 7-Nov-2024
https://doi.org/10.3390/info15110717
Manivannan ASethuraman SVimala Sudhakaran D(2024)mCaptcha: Replacing Captchas with Rate limiters to Improve Security and AccessibilityCommunications of the ACM10.1145/366062867:10(70-80)Online publication date: 26-Sep-2024
https://dl.acm.org/doi/10.1145/3660628
Show More Cited By

Index Terms

Gotta CAPTCHA ’Em All: A Survey of 20 Years of the Human-or-computer Dilemma
1. Security and privacy
  1. Security services
    1. Authentication
      1. Graphical / visual passwords

Recommendations

Design of Secure Multilingual CAPTCHA Challenge

Growing demand for native languages in web applications has made multilingual implementation of web user interfaces and dialogs essential. However, use of insecure foreign language text CAPTCHA challenges to prove human interaction in the native ...
The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Mitigating denial of service attack using CAPTCHA mechanism
ICWET '11: Proceedings of the International Conference & Workshop on Emerging Trends in Technology

Denial of Service (DoS henceforth) attack is performed solely with the intention to deny the legitimate users to access services. Since DoS attack is usually performed by means of bots, automated software. These bots send a large number of fake requests ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 54, Issue 9

December 2022

800 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3485140

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Copyright © 2021 Association for Computing Machinery.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 October 2021

Accepted: 01 July 2021

Revised: 01 May 2021

Received: 01 March 2021

Published in CSUR Volume 54, Issue 9

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
1,127
Total Downloads

Downloads (Last 12 months)340
Downloads (Last 6 weeks)33

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rodriguez COppenheimer D(2024)Creating a Bot-tleneck for malicious AI: Psychological methods for bot detectionBehavior Research Methods10.3758/s13428-024-02357-956:6(6258-6275)Online publication date: 1-Apr-2024
https://doi.org/10.3758/s13428-024-02357-9
Wan XJohari JRuslan F(2024)Variational Color Shift and Auto-Encoder Based on Large Separable Kernel Attention for Enhanced Text CAPTCHA Vulnerability AssessmentInformation10.3390/info1511071715:11(717)Online publication date: 7-Nov-2024
https://doi.org/10.3390/info15110717
Manivannan ASethuraman SVimala Sudhakaran D(2024)mCaptcha: Replacing Captchas with Rate limiters to Improve Security and AccessibilityCommunications of the ACM10.1145/366062867:10(70-80)Online publication date: 26-Sep-2024
https://dl.acm.org/doi/10.1145/3660628
Ousat BSchafir EHoang DTofighi MNguyen CArshad SUluagac SKharraz AChua TNgo CKa-Wei Lee RKumar RLauw H(2024)The Matter of Captchas: An Analysis of a Brittle Security Feature on the Modern WebProceedings of the ACM Web Conference 202410.1145/3589334.3645619(1835-1846)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645619
Ji TLuo YLin YYang YZheng QLian SLi J(2024) ImageVeriBypasser : An image verification code recognition approach based on Convolutional Neural Network Expert Systems10.1111/exsy.13658Online publication date: 25-Jun-2024
https://doi.org/10.1111/exsy.13658
Duan FWang DJia C(2024)A Security Analysis of Honey Vaults2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00219(1424-1442)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00219
Moradi MMoradi MPalazzo SRundo FSpampinato C(2024)Image CAPTCHAs: When Deep Learning Breaks the MoldIEEE Access10.1109/ACCESS.2024.344297612(112211-112231)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3442976
Shirali-Shahreza SPenn G(2024)An Ecologically Valid Approach to Evaluating Online GatekeepersInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2398890(1-16)Online publication date: 12-Sep-2024
https://doi.org/10.1080/10447318.2024.2398890
Chang GGao HPei GLuo SZhang YCheng NTang YGuo Q(2024)The robustness of behavior-verification-based slider CAPTCHAsJournal of Information Security and Applications10.1016/j.jisa.2024.10371181:COnline publication date: 25-Jun-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103711
Shibbir MRahman HFerdous MChowdhury F(2024)Evaluating the security of CAPTCHAs utilized on Bangladeshi websitesComputers and Security10.1016/j.cose.2024.103774140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103774
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents