Visual Reverse Turing Tests: A False Sense of Security

Abstract

Internet services are increasingly abused by malicious scripts that try to mimic human users. Reverse Turing tests are challenges used to differentiate humans from computers. Visual reverse Turing tests use visual challenges, such as distorted character recognition tasks, that are easily solved by humans, while remaining too hard for automatic scripts. We demonstrate that the computational and development cost of a script breaking through some currently deployed visual reverse Turing tests is low, thus making them ineffective in protecting these services. We present two case studies of successful attacks on character-based tests that are currently used to protect two public Web services. Our attacks utilize image processing techniques and also exploit flaws in the test deployment