BASECASS: A methodology for CAPTCHAs security assurance

Today, much of the interaction between clients and providers has moved to the Internet. Some tricksters have also learned to benefit from this new situation. New improved cons, tricks and deceptions can be found on-line. Many of these deceptions are only profitable if they are done at a large scale. In order to achieve these large numbers of interactions, these attacks require automation. CAPTCHAs/HIPs are a relatively new security mechanism against automated attacks. They try to detect when the other end of the interaction is a human or a computer program (a bot). However, CAPTCHA/HIP design is still in its initial conception as the stream of successful attacks highlight it. This paper focuses on the design of CAPTCHAs and if there is a way in which to assess a basic level of security for new CAPTCHA designs. To do so, we first review main attacks to different types of CAPTCHAs and then, we describe BASECASS, a methodology that can help in avoiding some of these design pitfalls. The application of the methodology is exemplified in three attacks to CAPTCHAs and how following the methodology designers could have avoided them.