TAPCHA – An ‘ Invisible ’ CAPTCHA Scheme

TAPCHA is a universal CAPTCHA scheme designed for touch-enabled smart devices such as smartphones, tablets and smartwatches. The main difference between TAPCHA and other CAPTCHA schemes is that TAPCHA retains its security by making the CAPTCHA test ‘invisible’ for the bot. It then utilises context effects to maintain the readability of the instruction for human users which eventually guarantees the usability of the scheme. Two reference designs, namely TAPCHA SHAPE & SHADE and TAPCHA MULTI are developed to demonstrate the use of this scheme.


INTRODUCTION
CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Apart) are a popular security mechanism used to make sure only human users are able to use the protected online services not the bots.They are considered as a type of challenge-response authentications where human interactive proofs (HIPs) are needed for distinguishing humans and computers (Chew & Baird 2003, Chellapilla et al. 2005).
Current mainstream CAPTCHAs are text-based CAPTCHAs.In these schemes, online users are often required to recognise distorted characters presented in an image or video clip.However, in order to maintain sufficient security level, recognising distorted characters successfully has become increasingly difficult (Yan et al. 2008, Bursztein et al. 2010).This gets even worse on mobile devices due to the limited display size and the shift of using keyboards to touch gestures (Lin et al. 2011, Shirali-Shahreza et al. 2013, Wismer et al. 2012).
New interactive CAPTCHA schemes have been proposed to tackle these challenges on mobile devices such as μcaptcha (Leiva & Alvaro 2015) and What's up CAPTCHA (Gossweiler et al. 2009).These schemes rely on identifying appropriate challenges and required interactions which are human friendly and bot resistant.
In this paper, we present TAPCHA, a universal CAPTCHA scheme where its security is retained through making the challenges 'undiscoverable' from a bot.Unlike the existing ones which focus on making the challenges 'hard to complete' yet 'discoverable' by the bots, our scheme provides flexibility in designing the challenges and deciding the interaction methods.We achieve this by processing the challenge description similar methods seen in present text-based CAPTCHAs to make it hard for a bot to recognise and understand.

HOW TO 'HIDE' CHALLENGE DESCRIPTION
Consider some attempts to make text-based CAPTCHAs more secure (Alsuhibany 2011, Baird & Riopka 2005, Bursztein et al. 2011, El Ahmad et al. 2012).Similar approaches can be taken to make the challenge description hard to be recognised by a bot.Unlike computer bots, human users can benefit from the context effects (McClelland & Rumelhart 1981).This means as long as adequate information cues are present within the whole challenge (description and presentation), human users can still figure out what the challenge is about.Figure 1 shows an example where most words in the challenge description are distorted such as "move", "from", "left", "touch" and "is" etc.When more contexts are given, the challenge will become more understandable by human users.
The benefits are obvious.First, it provides flexibility in designing challenges and deciding suitable interaction methods for the end devices without limiting itself to certain types of challenges and interaction methods.For example, a test could be moving specific objects around, tapping specific objects in order or even drawing a specific shape on the screen.Second, although the security of the scheme is mainly retained through the processed challenge description, it can be further reinforced through the challenge itself.For example, in an object moving challenge, more objects and subtests can be introduced to further reduce the mathematical probability to compromise the challenge without significantly increase the complexity of the test.

Design
TAPCHA Shape & Shade features 'swipe' based challenges that ask the user to move a specific object from the left side of the canvas to touch another specific object on the right side of the canvas.The specificity of the object is determined by its shape and/or shade.The challenge description is mainly processed by using high strength waveform transformation with anti-bot segmentation adjustment.Figure 2 shows an example where a user is required to move the lightest object from the left (i.e., round) to touch the triangle on the right.For example, the same challenge could be given a description of "Move the square object from left to touch the right object which is the lightest" or "Drag the left square object to touch the right round object".

Security
The mathematical probability to compromise TAPCHA Shape & Shade is determined by the number of objects presented in the test.Taking the example shown in Figure 2, the probability will be 1/(6*5) = 3.33% (Jiang & Dogan 2015).
The OCR test on the challenge description using Google Cloud Vision API shows the average success rate of instruction text recognition is: 23.5%.

Design
TAPCHA Multi features similar swipe based challenges to TAPCHA Shape & Shade.The differences are: (1) the specificity of objects is now determined by its shape and colour and (2) the user needs to swipe more than once based on the challenge description.Figure 3 shows an example where a user is asked to (1) place the round object from the left over the triangle on the right and (2) place the star from the right over the orange object on the left.

Security
The mathematical probability to compromise TAPCHA Multi is determined by the number of objects presented in the test.Taking the example shown in Figure 3, the probability will be 1/(8x7)^2 = 0.03%.

CONCLUSION
In this paper, we presented TAPCHA, a universal CAPTCHA scheme designed for touch enabled smart devices including smartphones, tablets and smartbands.TAPCHA is different from other approaches as it tries to 'hide' a challenge from computer bots by processing the challenge description to make it unrecognisable by them.This is achieved through using similar methods noted in some text based CAPTCHA schemes.At the same time, as human users can benefit from the context effects, with adequate information cues presented within the whole challenge, they can still understand the challenge and complete it.The benefit is twofold.First, it provides flexibility in designing challenges and deciding suitable interaction methods for the end devices.Second, although the security of TAPCHA is mainly retained through the processed challenge description, it can be further reinforced through the challenge itself.
To demonstrate how TAPCHA can be used in real world, TAPCHA Shape & Shade and TAPCHA Multi are developed.Our next step is to test TAPCHA using the two demos developed with real users to further understand its usability.

Figure 1 :
Figure 1: Processed instruction with different levels of context provided (left: no context, middle: context level 1, right: context level 2)