Extended Security Analysis of Hollow Captchas

Extended Security Analysis of Hollow Captchas

Text-based Captchas are now most widely used security technology for differentiating between computers and humans. Hollow Captchas have emerged as one of the latest designs, and they have been deployed by more and more major companies. Besides Yahoo!, Tencent, Sina, China Mobile and Baidu, some other websites, especially for higher security requirement shopping websites are also using this scheme. A main feature of such schemes is to use contour lines to form connected hollow characters with the aim of improving security and usability simultaneously. It is hard for standard techniques to segment and recognize such connected characters, which are however easy for human eyes. In this paper, we provide a systematic security analysis of hollow Captchas. We show that with a simple but novel attack, we can break most hollow Captchas with a relatively high success rate, including those deployed by the major companies. Our attack for the first time combines segmentation and recognition in a single step. We also discuss lessons and guidelines for designing better Captchas.