Many security primitives are based on hard mathematical problems. Using hard AI problems for security has emerged as an exciting new paradigm (with Captcha being the most successful example). However, this paradigm has achieved just a limited success, and has been under-explored. In this paper, we motivate and sketch a new security primitive based on hard AI problems.

Simple, universally applicable strategies can help any captchaprotected system resist automated attacks and can improve the ability of administrators to detect attacks. The strategies discussed here cause an exponential increase in the difficulty faced by automated attackers, while only increasing the inconvenience for human users in an approximately linear manner. These strategies are characte...

We report novel API attacks on a Captcha web service, and discuss lessons that we have learned. In so doing, we expand the horizon of security APIs research by extending it to a new setting. We also show that system architecture analysis is useful both for identifying vulnerabilities in security APIs and for fixing them.

As protection of web applications are getting more and more important every day, CAPTCHAs are facing booming attention both by users and designers. Nowadays, it is well accepted that using visual concepts enhance security and usability of CAPTCHAs. There exist few major different ideas for designing image CAPTCHAs. Some methods apply a set of modifications such as rotations to the original imag...

Spam over internet telephony (SPIT) refers to all unsolicited and massive scale attempts to establish voice communication with oblivious users of voice over internet protocol (VoIP) services. SPIT exhibits a significant increase over the last years, thus developing into a serious threat with adverse impact and costs for the business economy. An audio completely automated public Turing test to t...

This paper studies reverse Turing tests to tell humans and computers apart. Contrary to classical Turing tests, the judge is not a human but a computer. These tests are often called Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHA). The main purpose of such test is avoiding automated usage of various services, preventing bots from spamming on forums, securing...

In this article, we’ve tried to examine the hypothesis of the robustness of a form by using CAPTCHA against CSRF and login CSRF attacks. Our investigations showed that unlike public opinion, common attacks to bypass CAPTCHAs such as Optical Character Recognition (OCR) and 3rd party human attacks are not applicable in the CSRF case and instead, Clickjacking is the most important scenario of CSRF...

A Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a widely used security mechanism for constructing a high-confidence proof that the entity interacting with a remote service is actually a human being. Stimulated by the facts that: a) nowadays CAPTCHA challenges are solely based on the Latin alphabet, b) currently Internet population consists in its majori...

The massive and automated access to Web resources through robots has made it essential for Web service providers to make some conclusion about whether the ”user” is a human or a robot. A Human Interaction Proof (HIP) like Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) offers a way to make such a distinction. CAPTCHA is a reverse Turing test used by Web serv...

In an on-line transaction, a client usually have to present some authenticators (password, user certificate or both) to the server. However, those authenticators are exposed to client-side malware such that the malware is able to obtain the server-client messages, or impersonate the user to build another “secure” channel with the server. The present paper aims to patch this client-side security...