Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie Security risks of using CAPTCHAs and potential attacks
Ähnlich wie Security risks of using CAPTCHAs and potential attacks (20)
Security risks of using CAPTCHAs and potential attacks
- 1. Security Risks with Using CAPTCHAs Final Project CS854 Fall 2006 Presented by Allan Caine December 4, 2006
- 2. Allan Caine 2 Outline Background Our Proposed Model and Why Multi-point attack Attacking “Repeaters”
- 3. Allan Caine 3 Background Password/authentication System Human called the Prover Generally succeeds Bot called the Prover Generally fails Server/System CAPTCHA called the Verifier
- 4. Allan Caine 4 Current Paradigm Purchase RequestKey: k challenge E-commerce web site. Bot CAPTCHA Server CGI: k CGI: k Expects 3882948
- 5. Allan Caine 5 Proposed Model E-commerce web site. BotCAPTCHA Server The attacker cannot perceive the presence of a third party.
- 7. Allan Caine 7 Consequence: Multi-point Attack The resemblance is uncanny. Both use the same 3rd party CAPTCHA provider, audienceview.com. Breaking one CAPTCHA, breaks both sites. Attacker has two points of attack and more incentive to attempt the attack.
- 8. Allan Caine 8 All of these Sites are Compromised! www.tickets.com And many other non-baseball sites
- 9. Allan Caine 9 Attacking Repeaters Purchase RequestKey: k challenge E-commerce web site. MLB & yourtube.com Bot CAPTCHA Server CGI: k CGI: k Expects 3882948
- 10. Allan Caine 10 Two Basic Steps Learn off-line Attack on-line
- 11. Allan Caine 11 1st Step: Learn Off-line Clipped Cleaned Templates
- 12. Allan Caine 12 2nd Step: Attack On-line Sub-steps Pre-process the CAPTCHA Correlate and Vote
- 13. Allan Caine 13 Preprocess K-means analysis Segregation Targets
- 14. Allan Caine 14 Correlate and Vote Best Match! Usually, we get a correct match. Occasionally, due to image noise in the target, we get a spurious result. No problem! We ask the CAPTCHA server for another image with the same solution. We try again to cross check our work.
- 15. Allan Caine 15 “Election” Results The digit getting the most votes for a particular position “wins” the election and is our choice for the solution.
- 16. Allan Caine 16 So What? Strategy depends upon a specific weakness (repeating) and yet: Unlimited access to training data (common fault) Strategy suggests how to segregate characters Learning complex strategies perhaps break other CAPTCHAs
- 17. Allan Caine 17 Future Directions Apply the learn off-line/attack on-line strategy to break other CAPTCHAs (i.e. break yourtube.com and audienceview.com) Use analysis to build more robust verifiers (i.e. k not constant) Build prototype e-commerce websites according to our model and test.