Drag and Drop: A Better Approach to CAPTCHA Arpan Desai, Pragnesh Patadia A.D.Patel Institute of Technology,

Sardar Patel University New VidhyaNagar, Gujarat,India arpanvdesai@gmail.com

prpatadia@gmail.com

Abstract— A Completely Automated Public Turing test to tell Computers and Humans Apart is a test use to determine whether the user is a human or a malicious computer program. In simple terms CAPTCHA is a program that can generate and grade tests that most humans can pass, yet current computer programs can’t pass. They can be found as blurred or distorted random images, in free email signups, online polls or commenting on blogs; these images are difficult to recognize by computer programs but easy for most humans. They work as basic tool for preventing Denial of Service, brute force attacks and advertising spams. CAPTCHAs have evolved from simple text based to recent advancements like audio and visual tests. Text based CAPTCHAs have been broken successfully with the help of Optical Character Recognition and every approach is vulnerable against laundry attacks or redirection. The suggested approach ‘Drag and Drop CAPTCHA’ or ‘DnD’ is inclusive solution against OCR and laundry attacks. This HIP challenge uses conventional mouse events to recognize human intervention proof. If an attacker computer knows the answer of test but it can’t pass this test without human intervention. This technique can be considered as an Artificial Intelligence challenge. It creates win-win situation either this tough AI problem gets solved or DnD technique is distinction tool for human & computers. Keywords— CAPTCHA, drag and drop, Internet security, OCR, Human Intervention Proof, Artificial Intelligence

I. INTRODUCTION

CAPTCHA is a test to differentiate human users from malicious computer programs over the Internet. They are generally used as security measures in Online voting, Online shopping, free account Signup, commenting on blogs, money transaction etc [1]. This test is required to ensure that in Online poll the vote is being submitted by human and not by bot (web robots, simple computer program which does repetitive tasks), spiders or well made but malicious computer program. There must be a check that either money transaction or Online shopping is done by humans only. CAPTCHAs are very useful to prevent Denial of Service and brute force attacks. Test is also useful to avoid unwanted comments on the blog and ultimately restricting advertising spam by intended computer programs.

Fig. 1 Text based CAPTCHA Gimpy and Ticketmaster

In abbreviation of CAPTCHA P stands for Public, means the data and code should be available publicly to encourage scientists to work on unsolved problem of Artificial Intelligence (AI).

II. LAUNDRY ATTACKS AND RECENT METHODOLOGIES

All text based approaches have noisy background with distorted characters. But these techniques are vulnerable against laundry attack and redirection. In laundry attacks whenever bot encounters a CAPTCHA it redirects to human sweatshop (human workforce hired to solve only CAPTCHA images) and a bot gets the answer of the test. [7] In redirection the test is solved indirectly by humans only. Thus laundry attacks and redirections are independent of complexity of CAPTCHA.

Extensive research in field of Optical Character Recognition and efforts of scientists have developed efficient methods based on shape context matching that can identify the word in EZ-Gimpy image with the success ratio of 92% [2, 4].

III. DND CAPTCHA AND OBJECTIVES

This work presents a technique which uses mouse actions for the distinction between human and computers. In some of the recent approach there is partial use of mouse, to click on specific moving object [11] or to click on specific part of the image [10] for passing the CAPTCHA test successfully.

This presented and new approach will be called as “DnD” or “Drag and Drop” CAPTCHA. It uses familiar action of dragging and dropping items in to specific region. In this test user has to solve normal CAPTCHA image, but user can not to type the answer of test in to text box. Instead user has to just drag and drop character blocks in to their respective blank blocks as they appear in the image.

Fig. 2 DnD CAPTCHA draggable characters block and & dropbox

978-1-4244-4859-3/09/$25.00 ©2009

Here is an example of Drag and Drop CAPTCHA; Fig. 2 represents its probable design, all the characters in the CAPTCHA image are given as draggable objects in the ‘Characters Block’ in random order. These draggable boxes should be dropped to their respective ‘dropbox’ as per the order they appear in the image. (Authors refer draggable boxes as draggable onwards)

The key objectives of designing Drag and Drop CAPTCHA A. Simplicity of Operation:

In this challenge user has to drag and drop the draggable as they appear in the image, and requires no additional skills to answer the test. Its design is such that even laymen can understand without giving specific instructions. [6] B. Test must be easy for Humans:

To drag & drop any object is very easy for every human and needs no special analytical or technical abilities. [5] C. Test must be difficult for current comp programs or bots:

To design an application or algorithm which identifies character blocks, to drag & drop in exact sequence and exact place is currently little difficult. But still it’s a win-win situation. Either this AI problem gets solved or DnD is technique for distinction between human and computers. [7] D. Higher Safety with lower bandwidth consumption

This test solves bigger threats of redirection and laundry attacks these points are covered later in the paper. Test needs no flashy backgrounds or additional images. Hence it is bandwidth efficient in comparison with approaches like Animated and Implicit CAPTCHA which are secure from laundry attacks. Currently Primary design is with basic HTML and JavaScript only, so there isn’t any high bandwidth consumption. E. Easy to implement and Maintain

Currently represented example is designed in HTML with JavaScript and little help of CSS, which is easy to implement. This is not a final design and multiple designs can be developed on the same concept. Better designs can be possible with some extensions in HTML and JavaScript, Java Applets or Macromedia Flash. This design is kept simple such that user can easily understand, low bandwidth consuming but powerful in terms of security against any sort of bot attacks.

IV. DESIGN AND IMPLEMENTATION

In Fig. 3 there are 7 characters in the image {z,f,e,f,y,m,t} , so 7 draggables in to characters block and same number of drop boxes are available. Consider specific case for this image; user has to drag draggable ‘y’ and has to place it in the dropbox 5, likewise draggable‘t’ , ‘f’ and rest according their appearance in the image.

Order to pick and place the draggable in to dropbox is independent of their appearance in the character block. Even any draggable once placed in to dropbox can be moved back to characters block or to another dropbox.

Submitting the test before placing all draggables appropriately leads to failure result.

Fig. 3 DnD CAPTCHA, dragging to respective drop box

Fig. 4 DnD CAPTCHA, right or wrong placed

In Fig. 4 Draggalbes are placed on the dropboxes. User can move already placed draggable back in to Characters block or other non empty dropbox. In the case of ambiguity or difficulty in viewing CAPTCHA image; user has a choice of “Try a Different Image”.

Difficulty level of DnD CAPTCHA can be easily changed with the following Parameters:

i. Less number of characters in the image leads to lower difficulty level and vice versa.

ii. Instead of blur or distorted image, simple labels with alphabets or numbers can reduce the difficulty level

iii. Add more number of draggables than number of dropbox (Fig. 5) can fairly increase difficulty level

These techniques can be useful to vary the difficulty level according to their respective application of the Human Intervention Proof.

Fig. 5 DnD CAPTCHA, with higher difficulty level

V. ALGORITHM

Algorithm: DnD CAPTCHA

input: IC1...i, DC1...j, DB1...i (Type: List) output: Done (Type: Boolean)

Here IC1...i are the Image Characters which form the Image.

DB1...i are the number of Drop Boxes, which are same as the number of Image Characters.

DC1...j are the number of Drag Characters, where (j>=i). j > i for higher and j=i for normal difficulty level.

start: int filled_DB=0; list Lp=empty, Lq=empty; while (filled_DB! = i) { switch (action); action: 1 action: 2 action: 3 action: 4 }if (IC1...i = DB1...i){Done=true} else {Done=false} return Done; end

There can be four actions: 1. Placing the Drag Characters upward in to Dropbox. 2. Bringing back already placed Drag character in to Drag

Characters Block. 3. Moving already placed Drag Character from one

Dropbox to another Dropbox 4. Submit

action 1: (Placing the Drag Characters upward in to Dropbox)

{ k=random ((1...j) - Lp) m=random ((1...i) - Lq) [‘-‘: Minus Sign] place (DCk , DBm) filled_DB ++; append (Lp , DCk) append (Lq , DBm) }k : selecting any random Drag Character which is not

placed earlier. m : selecting appropriate Drop box which is not filled

earlier.place (DCk , DBm) which indicates a placing a Drag

character in to any Drop box. filled DB++; this indicates count of filled Drop Boxes and

every time when a user put any character it increases by 1. append (Lp, DCk), it appends the placed Drag Character in

to the list. append (Lq, DBm), it appends the filled_DB in to the list,

and restricts the user to overlap two Drag characters on to one Drop Box.

Similarly algorithm can be formed for other actions. But considering the length of paper, authors have not included it.

VI. EXPERIMENTAL RESULTS

Experiments conducted on primary design of the approach, with approx 100 people including students, developers and tech-savvies gave good insights of user perspective.

Fig. 6 DnD CAPTCHA test module

The module used in the test is displayed in the Fig. 6. It is demonstrated that draggable ‘j’ and draggable ‘k’ is placed on right place and draggable ‘y’ and draggable ‘c’ is misplaced. After submitting of test user knows that he passed or failed the CAPTCHA challenge.

The success ratio of the test module is near by 87% on First attempt. And user satisfaction level is also quite high.

Test was followed by a feedback on the design and various aspects of the approach.

DnD Feedback

0 20 40 60 80 100

Time Consuming

Less Bandwidth

Better Design

Easy to Use

App

roac

h A

spec

ts

Number of Users

Students

Developers

Tech Savvies

The reason behind the higher user satisfaction level is; in this approach user don’t have to stress their mind or eyes to identify the characters from the image. It solves the mistake of ‘l’,’1’ and ‘I’ (lower case L, numeric one, uppercase i) easily, similarly easy to distinguish upper and lower case characters like ‘c’ , ‘z’ ,’k’ etc. As all the answer characters already present in to the characters block, most of the users solved the test in first Attempt. Almost all users find it easy to solve and not boring or annoying.

Naturally drag and drop actions consume more time than conventional approach. Approx 6 seconds required to solve the six characters image. This time can be reduced by less character in the image.

DnD don’t require any high end servers or larger database of images for its implementation. It consumes less bandwidth

in comparison with new approaches like SQUIGL-PIX; rot CAPTCHA, ESP-PIX, and Implicit etc [3, 10, 11].

VII. DND AND LAUNDRY ATTACKS

DnD approach deals with major CAPTCHA threats significantly. In DnD technique solving the image is not the main aim of Human Intervention Proof, but putting the characters at their respective places is the main challenge. Hence anyhow if bot knows the answer of image, it can’t do anything without human intervention.

A) CAPTCHA redirection: Generally in this threat distorted image is sent to busy site, the busy site visitor solves the image for proceeding further and without knowingly helps the bot. A bot get the answer of characters in the image and put that text in to the text box. [2]

But in DnD if the answer is already given to the bot, only thing left is to place the characters correctly. But no current computer program can do this without human Intervention so after all it provides HIP. So redirection doesn’t solve the ultimate problem.

B) OCR: Even if the Optical Character Recognition technique identifies which letters are there in the image, for passing the test human intervention is necessary. Hence OCR technique is not completely useful against this approach.

C) Laundry Attacks: In this threat sweat shops solves the images and answers are sent back to bot. But to solve DnD challenge a user must drag and drop the draggables in correct place as knowing the answer of image is not sufficient enough to solve the test.

DnD CAPTCHA can be solved with the help of human user only; this is the major advantage of this approach. Even if OCR or bot knows the answer they can’t submit the answer because for submitting the correct answer human intervention is necessary.

It gives comparatively difficult challenge for Artificial Intelligence scientists to develop technique where DnD technique is solved without human intervention.

VIII. FUTURE EXTENSIONS

Currently this approach is designed for the personal computers only. Increasing users of iPhone, androids, Pocket PCs, Touch phones, Kindles, various other mobiles and Wi-Fi enabled devices indicates to extend this approach on mobiles; hence we started to work on Mobile version of this approach both on Touch and Non-Touch versions. [13]

Consider the case of Mobile screen resolutions, so identifying the distorted characters can be tough sometimes. DnD approach can be useful to avoid the overhead of distinguishing between upper and lower cases and the similar characters like ‘I’,’1’ and ‘l’. DnD approach can be extended in different languages. Instead of characters with the help of geometrical shapes Human Intervention Proof can be verified very easily and language independently. [4]

Other enhancements of the approach can be done after addressing larger group of users and on the basis of their feedback.

IX. CONCLUSION

DnD CAPTCHA is independent of intellectual level of person and partially language independent. As the characters are already given for the CAPTCHA challenge, it can be considered as a pattern matching.

DnD technique significantly solves problem of all possible threats like Laundry attacks and redirection. Considering the advancements in the field of Optical Character Recognitions, it can be a better replacement of the text based CAPTCHAs.

The main advantage of the DnD is easiness for humans to pass this test. As bot and spiders are weak against DnD approach it is most secure.

It concludes that, text based CAPTCHAs are vulnerable against OCRs and there should be a definite way for distinguishing Human and Computers, which should be easy and secure. DnD technique provides easiness with security, so it is better replacement of current text based CAPTCHAs.

ACKNOWLEDGMENT

Heartily thanks to Alf Magne Kalleland [12] for his technical guidance in primary design of our approach, and also to www [dot] captchas [dot] net [8], for giving CAPTCHA images for our experiments. We would also like to thank our parents, teachers and to every individual who directly or indirectly helped to us.

REFERENCES[1] Von Ahn, L., Blum, M., Hopper, N. and Langford, J.CAPTCHA:

Using Hard AI Problems for Security. Advances in Cryptology, Eurocrypt 2003. Pages 294-311.

[2] Chellapilla K., Simard, P. “Using Machine Learning to Break Visual Human Interaction Proofs (HIPs),” in L. K. Saul, Y. Weiss, and L. Bottou, editors, Advances in Neural Information Processing Systems 17, pp. 265–272. MIT Press.

[3] http://recaptcha.net[4] Mori, G., Malik, J. (2003) “Recognizing Objects in Adversarial Clutter:

Breaking a Visual CAPTCHA”, in Computer Vision and Pattern Recognition (CVPR-2003).

[5] Chellapilla, K., Larson, K., Simard, P., Czerwinski, M., Designing Human Friendly Human Interaction Proofs (HIPs), CHI-2005

[6] Yan, J., Ahmad, A.S.E., (2008) Usability of CAPTCHAs or Usability issue in CAPTCHA design. In Symposium on Usable Privacy and Security (SOUPS) 2008.

[7] HS Baird, MA Moll and SY Wang. “A highly legible captcha that resists segmentation attacks”. Proc. of Second Int’l Workshop on Human Interactive Proofs (HIP’05), ed. by HS Baird and DP Lopresti, Springer-Verlag. LNCS 3517, Bethlehem, PA, USA, 2005.

[8] Free CAPTCHA site: http://captchas.net[9] W3C Working Group, “Inaccessibility of CAPTCHA - Alternatives to

Visual Turing Tests on the Web”, Nov, 2005. Available at http://www.w3.org/TR/turingtest/.

[10] H. S. Baird and J. L. Bentley, "Implicit CAPTCHAs," Proc., SPIE/IS&T Conf. on Document Recognition and Retrieval XII (DR&R2005), San Jose, CA, January, 2005.

[11] Enhanced CAPTCHAs: Using Animation to Tell Humans And Computers Apart by Elias Athanasopoulos and Spiros Antonatos. In Proceedings of the 10th IFIP Open Conference on Communications and Multimedia Security (CMS'06), October 2006.

[12] http://dhtmlgoodies.com[13] What's Up CAPTCHA? A CAPTCHA Based on Image Orientation Rich Gossweiler, Maryam Kamvar, Shumeet Baluja paper at WWW

2009, International World Wide Web Conference