Abstract
Captcha is an important security measure used by many websites to defend against malicious bot programs. However, with the advancement in the field of computer vision, seemingly complex Captcha schemes have been broken. Although Captcha solving techniques have improved significantly, we observed that many major banking and government websites are still relying on a relatively simple class of text Captchas to counter bot attacks. In this paper, we demonstrate that Captcha schemes deployed on State Bank of India (SBI), Axis bank and Indian Railways (IRCTC) websites can be easily broken using a repertoire of standard image processing techniques. We develop a Captcha solver tool called Revelio which is lightweight, automatic, efficient, and requires minimal labeled data and works in real-time. We evaluate the performance of our tool with the state-of-the-art CNN model on diverse Captcha schemes from 14 major Indian websites. The proposed solver achieves at least 90% accuracy on 10/14 Captcha schemes. Further, we found that for the targeted class of Captcha schemes and a given amount of labeled data, our solver outperforms the CNN based solver.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Service Plus Captchas are used on different government websites including CM Relief Fund websites of Chhattisgarh and Karnataka.
- 2.
SBI Collect Captchas are used on various government websites including CM Relief Fund websites of Assam, Gujarat, Haryana, Goa and Tripura.
References
BotDetect Audio CAPTCHA Samples. https://captcha.com/audio-captcha-examples.html. Accessed 8 Aug 2020
CM Relief Fund. https://cmrf.maharashtra.gov.in/CMRFCitizen/showdonform.action. Accessed 8 Aug 2020
CM Relief Fund. https://apcmrf.ap.gov.in. Accessed 8 Aug 2020
CM Relief Fund. www.cmrf.bih.nic.in/users/quickdonate.aspx. Accessed 8 Aug 2020
Deep-CAPTCHA. https://github.com/DrMahdiRezaei/Deep-CAPTCHA. Accessed 8 Aug 2020
Login to Allahabad Netbanking. https://www.allbankonline.in/jsp/startnew.jsp. Accessed 8 Aug 2020
Login to Axis. https://retail.axisbank.co.in. Accessed 8 Aug 2020
Login to Fast tag HDFC. https://fastag.hdfcbank.com/RetailRoadUserLogin/Index. Accessed 8 Aug 2020
Login to IRCTC. https://www.irctc.co.in/nget/train-search. Accessed 8 Aug 2020
Login to Karnataka Bank. https://moneyclick.karnatakabank.co.in/BankAwayRetail/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&__EVENT_ID__=LOAD&ACTION.LOAD=Y&__CALL_MODE__=52&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=KBL. Accessed 8 Aug 2020
Login to MSRTC. https://public.msrtcors.com/ticket_booking/index.php. Accessed 8 Aug 2020
Login to OnlineSBI. https://retail.onlinesbi.com/retail/login.htm. Accessed 8 Aug 2020
Login to Service Plus. https://serviceonline.gov.in/. Accessed 8 Aug 2020
Registration on Vistara. https://www.airvistara.com/in/en/club-vistara/register. Accessed 8 Aug 2020
SBI Collect Payment. https://www.onlinesbi.com/sbicollect/payment/showpaymentdetails.htm. Accessed 8 Aug 2020
SimilarWeb. https://www.similarweb.com/. Accessed 8 Aug 2020
VAHAN search. https://vahan.nic.in/nrservices/faces/user/searchstatus.xhtml. Accessed 8 Aug 2020
von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47(2), 56–60 (2004). https://doi.org/10.1145/966389.966390
Brodić, D., Amelio, A.: Captcha programming. In: The CAPTCHA: Perspectives and Challenges, pp. 55–76. Springer (2020)
Bursztein, E.: How we broke the nucaptcha video scheme and what we propose to fix it. https://elie.net/blog/security/how-we-broke-the-nucaptcha-video-scheme-and-what-we-propose-to-fix-it. Accessed 08 Aug 2020
Bursztein, E., Aigrain, J., Moscicki, A., Mitchell, J.C.: The end is nigh: generic solving of text-based CAPTCHAs. In: 8th USENIX Workshop on Offensive Technologies (WOOT 2014). USENIX Association, San Diego, CA (2014). https://www.usenix.org/conference/woot14/workshop-program/presentation/bursztein
Bursztein, E., Bethard, S.: Decaptcha: breaking 75% of EBay audio CAPTCHAs. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT 2009). p. 8. USENIX Association, USA (2009)
Bursztein, E., Martin, M., Mitchell, J.: Text-based CAPTCHA strengths and weaknesses. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), pp. 125–138. Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/2046707.2046724
Chow, Y.-W., Susilo, W., Thorncharoensri, P.: CAPTCHA design and security issues. In: Li, K.-C., Chen, X., Susilo, W. (eds.) Advances in Cyber Security: Principles, Techniques, and Applications, pp. 69–92. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1483-4_4
Dalal, N., Triggs, B.: Histograms of oriented gradients for human detection. In: 2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR 2005), vol. 1. pp. 886–893 (2005)
Foote, E.M.: More secure image-based “CAPTCHA” technique, US Patent 9,075,983 (2015)
Gao, H., et al.: A simple generic attack on text Captchas. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21–24, 2016. The Internet Society (2016). http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/simple-generic-attack-text-captchas.pdf
Google: reCAPTCHA protects your website from fraud and abuse. https://www.google.com/recaptcha/about/. Accessed 8 August 2020
hCaptcha: Stop more bots. Start protecting user privacy. https://www.hcaptcha.com/. Accessed 8 Aug 2020
Institute, M.G.: Digital India: technology to transform a connected nation, https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/digital-india-technology-to-transform-a-connected-nation. Accessed 8 Aug 2020
McConnell, R.K.: Method of and apparatus for pattern recognition (1986)
Nouri, Z., Rezaei, M.: Deep-CAPTCHA: a deep learning based CAPTCHA solver for vulnerability assessment. Available at SSRN 3633354 (2020)
NuCaptcha: How Much Is User Abandonment Costing Your Company?. https://www.nucaptcha.com. Accessed 8 Aug 2020
Osadchy, M., Hernandez-Castro, J., Gibson, S., Dunkelman, O., Pérez-Cabo, D.: No bot expects the deepcaptcha! introducing immutable adversarial examples, with applications to captcha generation. IEEE Trans. Inf. Forensics Secur. 12(11), 2640–2653 (2017)
Otsu, N.: A threshold selection method from gray-level histograms. IEEE Trans. Syst. Man Cybern. 9(1), 62–66 (1979)
Roberts, E.: Bad Bot Report 2020: Bad Bots Strike Back. https://www.imperva.com/blog/bad-bot-report-2020-bad-bots-strike-back/. Accessed 8 Aug 2020
Sivakorn, S., Polakis, I., Keromytis, A.D.: I am Robot: (Deep) learning to break semantic image CAPTCHAs. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), pp. 388–403 (2016)
Verma, N., Dawar, S.: Digital transformation in the indian government. Commun. ACM 62(11), 50–53 (2019). https://doi.org/10.1145/3349629
Ye, G., et al.: Yet another text Captcha solver: a generative adversarial network based approach. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS 2018), pp. 332–348. Association for Computing Machinery, New York, NY, USA (2018). https://doi.org/10.1145/3243734.3243754
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Chougule, A., Tupsamudre, H., Lodha, S. (2020). Revelio: A Lightweight Captcha Solver Using a Dictionary Based Approach. In: Kanhere, S., Patil, V.T., Sural, S., Gaur, M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science(), vol 12553. Springer, Cham. https://doi.org/10.1007/978-3-030-65610-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-65610-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65609-6
Online ISBN: 978-3-030-65610-2
eBook Packages: Computer ScienceComputer Science (R0)