The AI Hardness of CAPTCHAs does not imply Robust Network Security

Speaker: Allan Caine

A CAPTCHA is a special kind of AI hard test to prevent bots from logging into computer systems. We define an AI hard test to be a problem which is intractable for a computer to solve as a matter of general consensus of the AI community. On the Internet, CAPTCHAs are typically used to prevent bots from signing up for illegitimate e-mail accounts or to prevent ticket scalping on e-commerce web sites. We have found that a popular and distributed architecture used on the Internet has a flawed protocol. Consequently, the security that the CAPTCHA ought to provide does not work and is ineffective at keeping bots out. This talk discusses the flaw in the distributed architecture's protocol. We propose an improved protocol, which keeps the current architecture intact. We implemented a bot, which is 100% effective at breaking CAPTCHAs that use this flawed protocol. Furthermore, our implementation of our proposed protocol proves that it is not vulnerable to attack. We use two popular web sites, tickets.com and youtube.com, to demonstrate our point.

This is Joint work with Urs Hengartner.