Article

Two-Step CAPTCHA: Using a Simple Two Step Turing Test to Differentiate between Humans and Bots

Authors:
Article

Two-Step CAPTCHA: Using a Simple Two Step Turing Test to Differentiate between Humans and Bots

If you want to read the PDF, try requesting it from the authors.

Abstract

of Internet and its usage has made web services prone to malicious threats by automated scripts or bots. "Completely Automated Public Turing Test to tell Computers and Humans Apart", commonly abbreviated as CAPTCHA, is a technique used by web services to differentiate between humans and bots.(1) Most of these techniques are based on recognizing the distorted images of alphanumeric texts that are often not easy to understand by the humans. We put forward a new idea of preventing automated attacks by bots, which asks users to pass through a simple two-step process of authentication. The first step involves recognizing an image from a set of images that best answers to the question associated with this step. The second step involves entering the values associated with the image selected so as to further nullify the probability of a bot attack.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... An idea of preventing automated attacks by bots, which requests users to pass through two-step process [1] of authentication. The first step involves recognizing an image from a set of images that best answers to the question associated with this step. ...
... The user is authenticated only if the image chosen is correct as well the all the four values entered are correct. Limitations of Two step captcha [1] are the probability of the machine breaking unauthentic ally into websites is considerably low. This approach is simple and at times less time consuming. ...
Article
Full-text available
Today‘s online services are vulnerable by malicious programs which would illegally gain authorizations at the expense of legitimate human users. Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA) is used as a shield from malicious scripts like bots. This method is mainly used to differentiate the user accessing website is an authenticated user or not. The current research deals with image based techniques that incorporate object detection as a test to provide solution. This is simple for humans to solve and provides high level of security by being resilient to automated attacks. The required image for this methodology to create a captcha is stored in a database. A composite image is generated randomly by combining at least four images and a single question is associated to it. For each displayed image, relevant questions are generated and stored in database. User has to choose appropriate picture based on the question which appears on the screen. If the user clicked-image is correct, then the user is considered as an authenticated user, otherwise the user is considered as a robot or automated script and it is not possible to go to the next webpage.
... Eligibility criteria included being 18 years of age or over, identifying as either trans-WSM or cis-MSM, self-reporting any condomless sex in the past year, living in the two recruitment regions, ability to comprehend English, and providing online written consent. To ensure quality of responses, we installed a CAPTCHA box to screen out online bots (Baluni & Gole, 2013). We also used a cross-validation program that blocked any duplicate IP addresses in order to prevent multiple responses from the same individual (King et al., 2014;Van Selm & Jankowski, 2006). ...
Article
Transgender women and cisgender men who have sex with men (trans-WSM and cis-MSM) comprise the majority of new HIV infections in the Philippines. There is limited research in the Philippines on the relationship between having a provider responsive to the needs of these populations and recent engagement in HIV medical services such as HIV testing and treatment. We used multivariate logistic regression to examine the relationship between having a responsive medical provider and engagement in HIV medical services in the past 12 months among an online sample of 318 trans-WSM and cis-MSM in the Philippines. Participants without a responsive medical provider had lower adjusted odds of recent HIV medical service engagement than those who did (aOR = 0.32, 95% CI [0.16, 0.62], p = .00). In stratified analyses, this relationship was significant for trans-WSM but not cis-MSM. Increasing access to responsive providers in the Philippines could bolster recent engagement with HIV medical services.
... We utilized best-practices for implementing online surveys [25]. We installed a "captcha box" into the survey to rule out non-human survey takers or robots [26]. We also systematically implemented a cross-validation programme that blocked any IP addresses that were not unique, which prevented multiple responses from the same individual [27,28]. ...
Article
Full-text available
Introduction Understanding HIV risk and healthcare engagement of at‐risk individuals by HIV status is vital to informing HIV programmes in settings where the HIV epidemic is rapidly expanding like the Philippines. This study examined differences in HIV risk and healthcare engagement factors among Filipinx transgender women and cisgender men who have sex with men (trans‐WSM and cis‐MSM respectively) who self‐reported being HIV negative, HIV positive or HIV unknown. Methods Between 2018 and 2019, we conducted Project #ParaSaAtin, an online cross‐sectional survey that examined the structural, social and behavioural factors impacting HIV services among Filipinx trans‐WSM and cis‐MSM (n = 318). We performed multinomial regression procedures to determine factors associated with HIV status (with HIV‐negative referent). Co‐variates included participant demographics, experiences of social marginalization, HIV risk, healthcare engagement and alcohol and substance problems. Results Self‐reported HIV status of the sample was as follows: 38% HIV negative, 34% HIV positive and 28% HIV unknown. Relative to HIV‐negative respondents, HIV‐positive respondents were more likely to be older (25‐ to 29‐year‐old adjusted risk ratio [aRRR]=5.08, 95% Confidence Interval [95% CI] = 1.88 to 13.72; 30‐ to 34‐year‐old aRRR = 4.11, 95% CI = 1.34 to 12.58; and 35 + years old aRRR = 8.13, 95% CI = 2.40 to 27.54, vs. 18 to 25 years old respectively), to live in Manila (aRRR = 5.89, 95% CI = 2.20 to 15.72), exhibit hazardous drinking (aRRR = 2.87, 95% CI = 1.37 to 6.00) and problematic drug use (aRRR = 2.90, 95% CI = 1.21 to 7.13). HIV‐positive respondents were less likely to identify as straight (aRRR = 0.13, 95% CI = 0.02 to 0.72), and were more likely to avoid HIV services due to lack of anti‐lesbian, gay, bisexual and transgender (LGBT) discrimination policies (aRRR = 0.37, 95% CI = 0.14 to 0.90). Relative to HIV‐negative respondents, HIV‐unknown respondents were less educated (some college aRRR = 0.10, 95% CI = 0.02 to 0.37, beyond college aRRR = 0.31, 95% CI = 0.09 to 0.99, vs. high school or below respectively), had lower HIV knowledge (aRRR = 0.30, 95% CI = 0.20 to 0.71), and were less communicative about safer sex (ARR = 0.29, 95% CI = 0.09 to 0.92). Moreover, HIV‐unknown respondents were also more likely to have avoided HIV services due to cost (aRRR = 4.46, 95% CI = 1.73 to 11.52). Conclusions This study highlights differences in HIV risks and healthcare engagement by HIV status. These findings show different barriers exist per HIV status group, and underscore the need to address Filipinx trans‐WSM and cis‐MSM’s poor engagement in HIV services in the Philippines.
... 35 First, to confirm that actual human participants were taking the survey, a 'captcha box' was programmed into the survey to rule out robots. 36 Second, to ensure that each survey was unique and that there were no duplicates, we systematically implemented a cross-validation programme that flagged duplicated (Internet Protocol) IP addresses. 37 38 Any IP address that were not unique were blocked from taking the survey. ...
Article
Full-text available
Background: Risks for condomless sex among transgender women and cisgender men who have sex with men (trans-WSM and cis-MSM, respectively) in the Philippines, where HIV recently became a national public health crisis, are shaped and exacerbated by various risk factors across multiple levels. Methods: Between June 2018 and August 2019, we conducted a cross-sectional online study with 318 trans-WSM and cis-MSM respondents from Manila and Cebu cities. Structural equational modelling procedures were performed to determine direct, indirect and overall effects between condom use and latent variables across multiple socioecological levels: personal (ie, condom self-efficacy), social (ie, social capital), environmental (ie, barriers to condom and HIV services) and structural (ie, structural violence, antidiscrimination policies). Results: Adjusted for gender, age, location and income, our model showed that: (1) all latent variables at the structural and environmental levels were significantly positively associated with each other (all ps<0.05); (2) barriers to condom and HIV services were significantly negatively associated with social capital (p<0.001) as well as condom self-efficacy (p<0.001); and (3) there were significantly positive associations between social capital and condom self-efficacy (p<0.001), and between condom self-efficacy and condom use (p<0.001). Moreover, social capital and condom self-efficacy fully mediated and buffered the negative effects between environmental and structural barriers and condom use. Conclusion: This is the first known study pointing to multiple relationships and pathways across multiple socioecological levels that can potentially be leveraged for future interventions aimed at improving condom use among Filipinx trans-WSM and cis-MSM. Such interventions should be multicomponent and build and/or strengthen social capital and condom self-efficacy, as well as intentionally target prominent structural and environmental barriers to condom use.
... Rittenhouse and Chaudhry (2015) and Thandeeswaran and Durai (2016) review the many modes of authentication available. More specific surveys on individual authentication methods include Buciu and Gacsadi (2016) Recently, literature has also emerged regarding multi-step and multi-factor authentication, see for example Baluni and Gole (2013) and Khan et al. (2015) and Banyal et al. (2013). However, Koved and Zhang (2014) point out that the prob-lem of managing a complex authentication system dynamically, when several authentication methods are available for each incoming request, has not been widely studied. ...
Article
Full-text available
We study an authentication system that receives requests from different types of users. A centralized controller must assign an authentication method to each request, considering the type, the state of the system and the characteristics of several available methods. Each authentication method has different capacity, service rate, level of security, level of usability and operating cost. We seek to optimize security, usability and operating cost, simultaneously by assigning authentication methods dynamically, in real time. To do this, we model the system as a network of parallel multi-server queues, where each queue represents an authentication method and each customer represents a request. We use two different approaches to handle the multiple objectives: a weighted total cost function, and treating security and latency as constraints while minimizing operating cost. We employ constrained and unconstrained Markov decision processes to determine the structure of policies that effectively balance these three objectives. We conclude that if there are infinitely many servers for each authentication method, then the optimal policy is static. We also show that if one method has finite capacity, then the optimal policy is of trunk reservation form. Our results regarding the structure of the optimal policy are consistent for both modeling approaches. Our work shows that optimal policies have intuitive, easy-to-implement structures that are useful in practice. Under certain assumptions, we provide a straightforward way to obtain an optimal policy. We also offer strategies to use our models to explore non-dominated solutions over the three objective functions.
... Recently reported in scientific literature approaches apply different algorithms to obtain CAPTCHA image skeleton for easy manipulation of characters overcoming in this way antisegmentation mechanisms [9,11,23]. The precision of the segmentation step reported by newCAPTCHA beating systems lies between 40% [10,13,16] and 95% [9,10,24]. Interesting approach is presented by Liu [25], which exploitsa set of morphological filters that break satisfactorily security mechanism based on asymmetric-ellipses sometimes presented in reCAPTCHA. Another approach presented by Indian research group [26] considers that the pre-processing stage is not necessarily must generate complete letter blobs. ...
... Recently reported in scientific literature approaches apply different algorithms to obtain image skeleton for easy manipulation of characters overcoming in this way anti-segmentation mechanisms [9,11,23]. The precision of the segmentation step reported by new CAPTCHA beating systems lies between 40% [10,13,16] and 95% [9,10,24]. Interesting approach is presented by Liu [25], which exploits a set of morphological filters that break satisfactorily security mechanism based on asymmetric-ellipses sometimes presented in reCAPTCHA 2012. Another approach presented by Indian research group [26] considers that the pre-processing stage is not necessarily must generate complete letter blobs. ...
Article
A novel approach for automatic segmentation and recognition of CAPTCHAs with variable orientation and random collapse of overlapped characters is presented in this paper. Additionally, the extension of the proposed approach to break reCAPTCHA of version of 2012 is also discussed. The original proposal consists in straightening characters and word in CAPTCHA exploiting then a three-color bar code for their segmentation. The recognition of straightened characters and whole word is provided by the proposed original SVM-based learning classifier. The main goal of this research is to reduce vulnerability of CAPTCHA from spam and frauds as well as to provide an approach for recognizing either handwritten or degraded and damaged texts in ancient manuscripts by OCR systems. The designed framework for breaking CAPTCHAs by the proposed approach has been tested achieving average segmentation success rate up to 82% for reCAPTCHA of version 2011 and achieving 95.5% by extended approach for reCAPTCHA of version 2012 with response time less than 0.5 s per two-word reCAPTCHA. The implemented SVM classifier shows a competitive precision about 94%. The obtained very satisfactory results confirm that the proposed approach may be used for development of new security mechanisms to protect users against cyber-criminal activities and Internet threats.
Article
Full-text available
Atomizing various Web activities by replacing human to human interactions on the Internet has been made indispensable due to its enormous growth. However, bots also known as Web-bots which have a malicious intend and pretending to be humans pose a severe threat to various services on the Internet that implicitly assume a human interaction. Accordingly, Web service providers before allowing access to such services use various Human Interaction Proof's (HIPs) to authenticate that the user is a human and not a bot. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a class of HIPs tests and are based on Artificial Intelligence. These tests are easier for humans to qualify and tough for bots to simulate. Several Web services use CAPTCHAs as a defensive mechanism against automated Web-bots. In this paper, we review the existing CAPTCHA schemes that have been proposed or are being used to protect various Web services. We classify them in groups and compare them with each other in terms of security and usability. We present general method used to generate and break text-based and image-based CAPTCHAs. Further, we discuss various security and usability issues in CAPTCHA design and provide guidelines for improving their robustness and usability.
Article
Full-text available
The use of completely Automated Public Turing Test to Tell computers and Humans Apart (CAPTCHAS) by popular web sites, to prevent automated registrations, is discussed. CAPTCHAs are similar to the turing test in that they distinguish human from computers. CAPTCHAs offers plausible solution against email worms and spam and prevent dictionary attacks in password systems. CAPTCHAs show that open problems in artificial intelligence (AI) can be useful in avoiding multiple voting or multiple number of free email accounts by an adversary.
Article
Nowadays, the Internet is now becoming a part of our everyday lives. Many services, including Email, search engine, and web board on Internet, are provided with free of charge and unintentionally turns them into vulnerability services. Many software robots or, in short term, bots are developed with purpose to use such services illegally and automatically. Thus, web sites employ human authentication mechanism called Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to counter this attack. Unfortunately, many CAPTCHA have been already broken by bots and some CAPTCHA are difficult to read by human. In this paper, a new CAPTCHA method called 3D CAPTCHA is proposed to provide an enhanced protection from bots. This method based on assumption that human can recognize 3D character image better than Optical Character Recognition (OCR) software bots.
Conference Paper
Most commonly used CAPTCHAs are text-based CAPTCHAs which relay on the distortion of texts in the background image. With the development of automated computer vision techniques, which have been designed to remove noise and segment the distorted strings to make characters readable for OCR, traditional text-based CAPTHCAs are not considered safe anymore for authentication. A novel image based CAPTCHA which involves in solving a jigsaw puzzle is presented in this paper. An image is divided into an n¡Án (n=3, 4 or 5, depends on security level) pieces to construct the jigsaw puzzle CAPTCHA. Only two of the pieces are misplaced from their original positions. Users are required to find the two pieces and swap them. Considering the previous works which are devoted to solving jigsaw puzzles using edge matching technique, the edges of all pieces are processed with glitch treatment to prevent the computer automatic solving. Experiments and security analysis proved that human users can complete the CAPTCHA verification quickly and accurately, but computers rarely can. It is a promising substitution to the current text-based CAPTCHA.
Dynamic Image Based CAPTCHA
  • R Rehmam
  • D Tomar
  • S Das
R. Rehmam, D. Tomar and S. Das, "Dynamic Image Based CAPTCHA", (2012) 978-0-7695-4692-6/12, IEEE Computer Society.
A Framework to analyze the security of Text based CAPTCHA
  • A Chandvale
  • A Sapkal
  • R M Jalnekar
Chandvale, A.A; Sapkal, A.M; Jalnekar, R. M., A Framework to analyze the security of Text based CAPTCHA, International Journalof Computer Applications, Vol 1 issue 27, pp. 127-132.
  • Monica Chew
  • J D Tygar
  • Berkeley
Monica Chew and J. D. Tygar, UC Berkeley, "Image Recognition CAPTCHAs" Springer, September 2004, pp. 268-279.