@techreport{elahmad2011robustness,
  abstract = {We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of "crowding character together" for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design. },
  author = {El Ahmad, Ahmad S and Yan, Jeff and Tayara, Mohamad},
  institution = {School of Computer Science, Newcastle University, UK},
  interhash = {2d6bb0b3bad1f6a01c15e1bbd8bd7158},
  intrahash = {3516bc8c24b04f63927808e82824004d},
  month = may,
  title = {The Robustness of Google CAPTCHAs},
  url = {http://homepages.cs.ncl.ac.uk/jeff.yan/google.pdf},
  year = 2011
}

@inproceedings{zhu2010attacks,
  abstract = {We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all existing IRCs schemes and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail. Then we present a security analysis of the representative schemes we have identified. For the schemes that remain unbroken, we present our novel attacks. For the schemes for which known attacks are available, we propose a theoretical explanation why those schemes have failed. Next, we provide a simple but novel framework for guiding the design of robust IRCs. Then we propose an innovative IRC called Cortcha that is scalable to meet the requirements of large-scale applications. It relies on recognizing objects by exploiting the surrounding context, a task that humans can perform well but computers cannot. An infinite number of types of objects can be used to generate challenges, which can effectively disable the learning process in machine learning attacks. Cortcha does not require the images in its image database to be labeled. Image collection and CAPTCHA generation can be fully automated. Our usability studies indicate that, compared with Google's text CAPTCHA, Cortcha allows a slightly higher human accuracy rate but on average takes more time to solve a challenge.},
  address = {New York, NY, USA},
  author = {Zhu, Bin B. and Yan, Jeff and Li, Qiujie and Yang, Chao and Liu, Jia and Xu, Ning and Yi, Meng and Cai, Kaiwei},
  booktitle = {CCS '10: Proceedings of the 17th ACM conference on Computer and communications security},
  doi = {10.1145/1866307.1866329},
  ee = {http://homepages.cs.ncl.ac.uk/jeff.yan/ccs10.pdf},
  interhash = {e95b041b4b155f5ff44977827e8680cd},
  intrahash = {3c8aa0e647903603ddce90c1642b89b2},
  isbn = {978-1-4503-0245-6},
  location = {Chicago, Illinois, USA},
  month = oct,
  pages = {187--200},
  publisher = {ACM},
  title = {Attacks and design of image recognition CAPTCHAs},
  url = {http://portal.acm.org/citation.cfm?id=1866307.1866329},
  year = 2010
}