Research on the Security of Microsoft's Two-Layer Captcha

Captcha is a security mechanism designed to differentiate between computers and humans, and is used to defend against malicious bot programs. Text-based Captchas are the most widely deployed differentiation mechanism, and almost all text-based Captchas are single layered. Numerous successful attacks on the single-layer text-based Captchas deployed by Google, Yahoo!, and Amazon have been reported. In 2015, Microsoft deployed a new two-layer Captcha scheme. This appears to be the first application of two-layer Captchas. It is, therefore, natural to ask a fundamental question: is the two-layer Captcha as secure as its designers expected? Intrigued by this question, we have for the first time systematically analyzed the security of the two-layer Captcha in this paper. We propose a simple but an effective method to attack the two-layer Captcha deployed by Microsoft, and achieve a success rate of 44.6% with an average speed of 9.05 s on a standard desktop computer (with a 3.3-GHz Intel Core i3 CPU and 2-GB RAM), thus demonstrating clear security issues. We also discuss the originality and applicability of our attack, and offer guidelines for designing Captchas with better security and usability.