iCAPTCHA: The Next Generation of CAPTCHA Designed to Defend against 3rd Party Human Attacks

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) is a simple test that is easy for humans but extremely difficult for computers to solve. CAPTCHA has been widely used in commercial websites such as web-based email providers, TicketMaster, GoDaddy, and Facebook to protect their resources from attacks initiated by automatic scripts. By design, CAPTCHA is unable to distinguish between a human attacker and a legitimate human user. This leaves websites using CAPTCHA vulnerable to 3rd party human CAPTCHA attacks. In order to demonstrate the vulnerabilities in existing CAPTCHA technologies we develop a new streamlined human-based CAPTCHA attack that uses Instant Messenger infrastructure. Facing this serious human-based attack threat, we then present a new defense system called Interactive CAPTCHA (iCAPTCHA), which is the next generation of CAPTCHA technology providing the first steps toward defending against 3rd party human CAPTCHA attacks. iCAPTCHA requires a user to solve a CAPTCHA test via a series of user interactions. The multi-step back-and-forth traffic between client and server amplifies the statistical timing difference between a legitimate user and a human solver, which enables better attack detection performance. A performance and usability study of iCAPTCHA shows the proposed scheme is effective in attack detection, is easy to use, and is a viable replacement of the current text-based CAPTCHA.