Pitfalls in CAPTCHA Design and Implementation: The Math CAPTCHA, a Case Study Articles uri icon

publication date

  • February 2010

start page

  • 141

end page

  • 157

issue

  • 1

volume

  • 29

International Standard Serial Number (ISSN)

  • 0167-4048

Electronic International Standard Serial Number (EISSN)

  • 1872-6208

abstract

  • We present a black-box attack against an already deployed CAPTCHA that aims to protect a free service delivered using the Internet. This CAPTCHA, referred to as "Math CAPTCHA" or "QRBGS CAPTCHA", requests the user to solve a mathematical problem in order to prove human. We study significant problems both in its design and its implementation, and how those flaws can be used to completely solve this CAPTCHA using a low-cost attack. This attack requires no development in Artificial Intelligence or automatic character recognition, the intended path, thus becoming a side-channel attack, based on this CAPTCHAs flaws. We relate these flaws to common flaws found in other CAPTCHA proposals. We conclude with some tips for enhancing this CAPTCHA that can be considered as general guidelines.