CAPTCHAs are employed on websites to differentiate between human users and bot programs that indulge in spamming and other fraudulent activities. With the advent and advancement of sophisticated computer programs to break CAPTCHAs, it has become imperative to continuously evolve the CAPTCHA schemes in order to keep the Internet network and website free of congestion and spam-bots. In light of these developments concerning information security, in this chapter, the authors introduce the novel concept of Scrambled CAPTCHA, which is a combination of OCR-based and Picture CAPTCHAs and exploits an inherent characteristic of human vision and perception. They also introduce Hindi CAPTCHA, developed in Hindi language (Devanagari script). This CAPTCHA will typically address spamming on Indian websites. It also contributes to the digitalization of books written in this script. The authors also discuss the features and security aspects of these schemes in detail, which, to the best their knowledge, had not been implemented earlier.
TopIntroduction
The ever increasing use of Internet and web resources calls for strong security measures to prevent malicious activities like spamming (Siponen 2006), phishing (Dhamija 2005), credit-card frauds and unauthorized access to information. One of the primary mechanisms of enforcing security and preventing misuse of online resources is the Human Interactive Proof (HIP) system. HIP system is a broad set of protocols to distinguish between computer programs known as ‘bots’ and human users. CAPTCHAs (Completely Automated Public Turing Test to Tell Human and Computers Apart) are a form of HIP. CAPTCHAs are employed as means to prevent ‘bots’ (that pose as human users) from indulging in spamming and other unscrupulous activities. The essence of a CAPTCHA is that it should be identified easily by a human but not by a bot. Broadly, CAPTCHAs can be classified into two groups:
OCR-based CAPTCHAs are mainly text-based CAPTCHAs in which the user is shown distorted images of letters and/or digits and the user is required to recognize them and type the answer. The OCR-based CAPTCHAs have been employed on many popular websites such as Google, Yahoo!, Hotmail, Facebook etc. However, these CAPTCHAs have an inherent limitation. Since the strength of these CAPTCHAs significantly depends upon the degree of distortion in the displayed text, increasing security by increasing text distortion may lead to failure of recognition by humans (Yan 2008), thus making the CAPTCHA ineffective. Further, for mobile phones and devices like PDAs and palmtops, the use of keyboard may be infeasible or difficult thus making OCR-based CAPTCHAs inconvenient.
These weaknesses can be resolved by using Non-OCR based CAPTCHAs. Non-OCR based CAPTCHAs include audio (Tam 2008), logical (Shirali-Shahreza 2007), animated (Athanasopoulos 2006, Kluever 2009, Shirali-Shahreza 2008) and picture CAPTCHAs (Baird 2005, Chew 2004, Jain 2009, Shirali-Shahreza 2007, Shirali-Shahreza 2008, Shirali-Shahreza 2008) which basically test the audio/video sense capability associated with a human. Logical CAPTCHAs display questions, puzzles etc. which can be easily solved by humans but not by bots. In audio CAPTCHAs, users are required to recognize sounds played out to them. They are also beneficial to blind users (Shirali-Shahreza 2007) who otherwise cannot interact with OCR-based and video/animated CAPTCHAs. CAPTCHAs have also been designed for deaf users (Shirali-Shahreza 2008). In Picture CAPTCHAs, picture(s) of some object(s) is/are shown to the user. The user has to identify the displayed objects or recognize some properties associated with these pictures. This mechanism exploits two facts:
In this chapter, we introduce two novel CAPTCHA schemes: Scrambled CAPTCHA and Hindi CAPTCHA. We also discuss their security implications and benefits. The following section discusses some broad associated definitions and the research already conducted in CAPTCHA generation and breaking.
TopBackground
Research Work Conducted in OCR-Based CAPTCHAs
The MSN CAPTCHA popularly used by Hotmail has been broken by Yan et al.(Yan 2008) with overall success of 60% by employing the technique of snake segmentation. They also broke CAPTCHAs from captchaservice.com (92% success) and register.com (47.8% success). Mori et al. (Mori 2003) employed object-recognition techniques to break the EZ-Gimpy (92% success) and the Gimpy (33% success) CAPTCHAs. Moy et al. (Moy 2004) estimated distortion and broke EZ-gimpy (99% success) and 4-letter Gimpy-r (78% success). K. Chellapilla et al. (Chellapilla 2004) achieved 34.4% success rate on breaking an improved version of Yahoo/EZ Gimpy CAPTCHAs. Moreover, they broke Google HIP which used only image warp as means of text distortion. STCs proposed by Gupta et al. (Gupta 2009) introduced the concept of ‘Tagging’. von Ahn et al. (von 2008) introduced ReCAPTCHA which is being used by Facebook.