Three-Way Dissection of a Game-CAPTCHA: Automated Attacks, Relay Attacks, and Usability
This addresses the problem of user frustration and security vulnerabilities in captchas for web developers and security researchers, though it is incremental as it builds on existing captcha analysis.
The paper tackled the security and usability of Dynamic Cognitive Game (DCG) captchas, finding they have high usability and some resistance to relay attacks but are vulnerable to a novel dictionary-based automated attack.
Existing captcha solutions on the Internet are a major source of user frustration. Game captchas are an interesting and, to date, little-studied approach claiming to make captcha solving a fun activity for the users. One broad form of such captchas -- called Dynamic Cognitive Game (DCG) captchas -- challenge the user to perform a game-like cognitive task interacting with a series of dynamic images. We pursue a comprehensive analysis of a representative category of DCG captchas. We formalize, design and implement such captchas, and dissect them across: (1) fully automated attacks, (2) human-solver relay attacks, and (3) usability. Our results suggest that the studied DCG captchas exhibit high usability and, unlike other known captchas, offer some resistance to relay attacks, but they are also vulnerable to our novel dictionary-based automated attack.