Web sites, or Internet sites, very often provide information, products, services, and the like to their users. A malicious user will sometimes employ a script to emulate human interaction with a web site. As is well known in the art, a script is an automated set of instructions. Every time the script is invoked, the commands are interpreted and executed. The script can adapt itself to the responses that the server gives.
Many web sites require users to “register” before their web servers will grant access to the users. Web site registration is one example of a task that is supposed to be performed by a human rather than a machine (i.e., by scripting). During registration, a user typically supplies personal information such as username, password, account number, address, telephone number, e-mail address, computer platform, age, gender, and/or hobbies to the registering web site. The registration information may be necessary to complete transactions (e.g., commercial or financial transactions). Typically, the information also permits the web site to contact the user directly (e.g., via electronic mail) to announce, for example, special promotions, new products, or new web site features. Additionally, web sites often collect user information so web site operators can better target future marketing activities or adjust the content provided by the sites.
When registering a user for the first time, a web site typically requests that the user select a login identifier, or login ID, and an associated password. The login ID allows the web site to identify the user and retrieve information about the user during subsequent user visits to the web site. Generally, the login ID must be unique to the web site such that no two users have the same login ID. The combination of the login ID and password associated with the login ID allows the web site to authenticate the user during subsequent visits to the web site. The password also prevents others (who do not know the password) from accessing the web site using the user's login ID. This password protection is particularly important if the web site stores private or confidential information about the user, such as financial information or medical records.
Using a presently available multi-site user authentication system (e.g., Microsoft® .NET™ Passport single sign-in service), a web user can maintain a single login ID (and associated password) for accessing multiple, affiliated web servers or services. Such a system permits the user to establish a unique account identified by, for example, an e-mail address.
Unfortunately, scripting permits a malicious user to emulate human interaction with a web site for registering a large number of new accounts associated with fictitious users. Because many e-mail services allow users to filter out unsolicited mass mailings (i.e., spam) based on the sender's address, running scripts to register new e-mail accounts enables the malicious user to continue sending spam from the new accounts in the face of such filtering. The new e-mail accounts also provide readily accessible space for storing illegal copies of software. Malicious users also run scripts against pages served by web servers in an attempt to guess passwords and mass-harvest public information (e.g., e-mail addresses). Moreover, malicious users are able to obtain free advertising in chat rooms and the like through the use of such script attacks.
Although several conventional techniques purport to prevent spam, these known techniques fail to address the problem of scripting attacks. For example, one anti-spam method, briefly mentioned above, attempts to distinguish desirable e-mail from spam by applying a set of rules to classify each piece of mail (e.g., flagging mail from a particular sender as spam). Rule-based classifiers tend to be ineffective mail filters and require continually modifying the rules. Another anti-spam technique involves requiring the sender to work a puzzle, the solution of which is attached to his or her sent mail as an “electronic postage stamp.” In this instance, the recipient's mailbox must be set up to only accept mail that includes such a stamp. Other systems require generating digital signatures and the like for e-mail.
Those skilled in the art are familiar with the concept of “Turing tests” for interrogating two unseen respondents, a human and a computer, to try to determine which of the two is the computer. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a well-known project that creates puzzles designed to be solvable only by humans for the purpose of distinguishing humans and computers over a network. Typically, the puzzles involve having the user read a sequence of characters from a visually cluttered image. Further information on CAPTCHA is available at “www.captcha.net”.
In the original Turing test, a human asks questions of another human and a machine to distinguish between the two. Recent interest has turned to developing systems that allow a computer to distinguish between another computer and a human. This enables the construction of automatic filters to prevent automated scripts from utilizing services intended for humans. In addition to being called CAPTCHAs, such tests are sometimes referred to as HIPs (Human Interactive Proof or Human Interaction Proof). Typical CAPTCHAs or HIPs involve text recognition, visual pattern recognition, image processing, and audio recognition challenges.
Unfortunately, advances in optical character recognition have reduced the effectiveness of existing Turing-type challenges. Also, there is little cost for an automatic attacker that only fails most of the time. Even if an automated script succeeds in defeating a challenge just 1% of the time, the cost of failures and repetitions is relatively low for a machine.
In light of the foregoing, further improvements are needed for preventing script attacks from successfully running a repetitive task that is supposed to be performed by a human. In addition to providing significant cost savings and improved security, such a solution is useful to help prevent spam, software piracy, and other malicious attacks.