Is image-based CAPTCHA secure against attacks based on machine learning? An experimental study

The completely automated public Turing test to tell computers and humans apart (CAPTCHA) is among the most common methods of authentication used by websites and web services. It is intended to protect online services from automated scripts and malicious programs. Text-based and audio CAPTCHA are two of the earliest such methods, and have been shown to be inadequate at protecting systems and services. Image-based CAPTCHA has been introduced to address the limitations of previous CAPTCHA methods. It uses image recognition tasks to determine whether the user is a human or a malicious program. In light of the sensitivity of protected resources, challenges to their security arising from advances in machine learning algorithms are investigated here. This study examines the strength of image-based CAPTCHA by proposing an image-based CAPTCHA breaking system. The proposed system can automatically answer challenges posed by the recently proposed Google image reCAPTCHA with minimal human intervention. It employs deep learning technologies and machine learning algorithms, including random forest, classification and regression trees (CART), bagging with CART, and Naive Bayes to automatically answer challenges. The proposed attack mechanism achieved an average accuracy of 85.32% while successfully solving 56.29% of reCAPTCHA challenges posed to it. The results show current image-based CAPTCHAs to deter automated scripts and malicious programs provide a false sense of security. (C) 2019 Elsevier Ltd. All rights reserved.