EPL682 - PAPERS ---------- Re: CAPTCHAs – Understanding CAPTCHA-Solving Services in an Economic Context I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs Antreas Dionysiou - Department of Computer Science University of Cyprus February 2019
BACKGROUND 2
What are CAPTCHAs? • C ompletely A utomated P ublic T uring test to tell C omputers and H umans A part (CAPTCHA). • Proposed in 2003 by Von et al. • Also referred as Reverse Turing Tests. • CAPTCHAs tell if a user is human or not. • Different versions of CAPTCHA exists. • Block automated bot systems attacks. • Must resist automated solving. • Must be painless for humans. 3
CAPTCHA Versions 4
Text-based CAPTCHAs • Most widely used CAPTCHA scheme. • CAPTCHA designing, reflects a trade-off between protection and usability. 5
Paper: “Re: CAPTCHAs-Understanding CAPTCHA- Solving Services in an Economic Context.” 6
What is all about? (Summary) • Brief explanation about CAPTCHAs. • CAPTCHA solving ecosystem has emerged with 2 major categories: 1. Automated CAPTCHA solvers (software). 2. Real-time human labor. • Evaluation of CAPTCHAs in economic terms. • CAPTCHA’s underlying cost structure benefits defender. • Plenty of CAPTCHA solving services with very low prices. $1/1000 • CAPTCHAs should be viewed as an economic impediment to an attacker (not only as a technological one). Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 7
What is all about? (Cont.) • The overall shape of market is poorly understood. • Big evolution of automated solving tools… • …but, eclipsed by the emergence of human-based solving market. • Economic examination of human-based solving market. Human-based solvers Automated (software) solvers Hybrid solvers Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 8
Related work • The authors claim that they are the first to identify the growth of human- labor-based CAPTCHA solving services. • The closest work related is the study of Bursztein et al. [1], BUT is focused on CAPTCHA difficulty rather than the underlying business models. • No other related work (at that time). [1] E. Bursztein, S. Bethard, J. C. Mitchell, D. Jurafsky, and C. Fabry. How good are humans at solving CAPTCHAs? a large scale evaluation. In IEEE S&P ’10, 2010. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 9
Authors Tried to Answer Key Questions Like Which CAPTCHAs are mostly targeted? Pricing of services? Rough solving capacity? Services’ adaptability to changes in CAPTCHA schemes? Workforce demographics? Quality of service? Overall, this research provides a reasoning about the net value of CAPTCHAs under existing threats. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 10
CAPTCHA Economics, but why??? • CAPTCHA’s technical perspective, doesn’t capture the business realities of CAPTCHA-solving ecosystem. • The profitability of any scam is a function of 3 factors: 1. The cost of CAPTCHA solving. 2. The effectiveness of any secondary defenses. 3. The efficiency of the attacker’s business model. • CAPTCHAs add friction to the attacker’s business model. • CAPTCHAs minimize the cost and legitimate user impact of heavier- weight secondary defenses (e.g. sms, etc.). Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 11
Economics of CAPTCHA-solving Market • The market for CAPTCHA-solving services has been expanded… • …but, the wages of workers have been declining due to these reasons: 1. CAPTCHA solving is an unskilled job. 2. It can be easily sourced via internet to the lowest cost labor. 3. An increased competition on the retail side exist. • Mr. E said that 50% of revenue is profit, roughly 10% is for servers and bandwidth, and the remainder is split between solving labor. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 12
CAPTCHA-Solving Market Workflow Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 13
CAPTCHA-Solving Services Analysis • Evaluated services which were well-advertised at the time. • Evaluated 8 CAPTCHA-solving services for 5 months collecting CAPTCHAs by most popular web sites. • Evaluating several aspects such as: 1. Customer interface. 2. Solution accuracy. 3. Response time. 4. Availability. 5. Capacity. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 14
Quality of Service Assessment Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 15
Quality of Service Assessment (cont.) • Median error rate and response time (in seconds) for all services. Services are ranked top-to-bottom in order of increasing error rate. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 16
Services Analysis Results • Antigate and ImageToText provided the fastest service. • Accuracy and response time varied with the type of CAPTCHA. • The value of a particular solver depends on 3 factors, namely: 1. Accuracy. 2. Response time. 3. Price. • DeCaptcher and CaptchaBot had the largest solving capacity, as they could solve 14–15 CAPTCHAs per second. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 17
Worker Wages • They focused on two services namely Kolotibablo and PixProfit. • Kolotibablo pays workers at a variable rate (from $0.50/1,000 up to over $0.75/1,000 CAPTCHAs) depending on how many CAPTCHAs they have solved. • PixProfit offers a somewhat higher rate of $1/1,000. • A minimum amount of money should be collected before payout. • Most services provide payment via an online e-currency system. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 18
Geographic Demographics • All services include a sizeable workforce fluent in Chinese, likely mainland China. • Antigate has appreciable accuracies for Russian and Hindi, presumably drawing on workforces in Russia and India. • Similarly, for CaptchaBypass and Russian. • BeatCaptcha and Tamil, Portuguese, and Spanish. • DeCaptcher and Tamil. • ImageToText has appreciable accuracy across a remarkable range of languages. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 19
Adaptability of CAPTCHA Services • Again focused on Kolotibablo and PixProfit services. • Test them on the Asirra CAPTCHA. • ImageToText displayed a remarkable adaptability, solving the Asirra CAPTCHA on average 39.9% of the time. Figure 5: ImageToText error rate for the custom Asirra CAPTCHA over time. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 20
Most Popular Targeted CAPTCHAs Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 21
Conclusions • CAPTCHAs’ low-impact quality makes them attractive to site operators, • …but, at the same time, easy to be outsourced to global unskilled labor market. • CAPTCHA-solving business is well-developed, highly-competitive, and with large capacity industry. • Wholesale and retail prices for CAPTCHA-solving will continue to decline. • CAPTCHAs don’t prevent large-scale automated site access, • …but, they effectively limit automated site access. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 22
Conclusions (Cont.) • As the cost of CAPTCHA solving decreases, a site operator must employ secondary defenses more aggressively. • CAPTCHAs should be regarded as an economic impediment (not only a technological one). • CAPTCHAs are low-impact mechanisms that add friction to the attacker’s business model. • CAPTCHAs minimize the cost and legitimate user impact of heavier- weight secondary defenses. Motoyama, Marti, et al. "Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context." USENIX Security Symposium . Vol. 10. 2010. 23
Paper: “I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs.” 24
Recommend
More recommend