University of Cambridge Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, UK
Many websites utilise CAPTCHA (Completely Automatic Public Turing tests to tell Computers and Humans
Apart) schemes as human interaction proofs to grant access to their services only to people rather than spam bots. In this
paper, we examine the security of six widely used types of CAPTCHA and present novel attacks against all of them,
achieving success rates of up to 88%. We made improvements to three previously published attacks against the Hotmail,
Wikipedia, and Slashdot challenges and devised novel and successful attacks against BotDetect's Wavy chess,
reCAPTCHA, and a new variant of the Wikipedia scheme. Furthermore, we implemented a library that includes
customisable segmentation algorithms and character recognisers. This library can serve as a tool for further investigating
CAPTCHA security. Even though the difficulty and time needed to develop our CAPTCHA solver algorithms varied
significantly between different schemes, none of these CAPTCHAS proved to be resistant to the attacks we devised. Based
on our findings, we make recommendations for strengthening CAPTCHA methods to make them more resistant to automated
attacks such as ours.
Keywords: CAPTCHA, character segmentation, human interaction proofs, optical character recognition, security.
open-access license: This is an open access article licensed under the terms of the Creative Commons Attribution Non-Commercial License (http: //creativecommons.org/licenses/by-nc/3.0/ which permits unrestricted, non-commercial use, distribution and reproduction in any medium, provided the work is properly cited.
* Address correspondence to this author at the University of Cambridge Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, UK; Tel: +44(0)1223 763686; Fax: +44(0)1223 334678;
E-mail: firstname.lastname@example.org, email@example.com