Existing systems are continually under attack by users seeking unauthorized access to protected information. A human interactive proof (HIP) is a simple arbitrary test posed by a server to a client to validate that the intelligence behind the client is human's. Another type of HIP is a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) where the user is requested to enter alphanumeric characters presented in a skewed and distorted manner and which are difficult to read and enter using a robot (“bot”) program.
The primary motivation in using a HIP is to filter scripted attacks to web services which aim at consuming vast amount of server resources for spam or other malicious activities. For example, a simple script could open a large number of email accounts with a web-mail service and then use these accounts to spam “human” email accounts. While traditional HIPs have proven effective in constrained scenarios, in the general case the HIPs leave a lot to be desired.
HIPs provided as images that entail transformed characters and rely on the difficulties associated with OCR (optical character recognition) have already been broken using simple OCR techniques that focus on the intricacies of HIP generation algorithms. Alternative HIP schemes rely on visual tests that computers cannot solve easily such as separating dogs from cats in a collection of photos. However, both methods are easily broken using a relay attack where a HIP test is forwarded to a sweatshop where a human solves HIP puzzles for pay or free services, an attack technique that defeats the very purpose of the HIP.