%0 Electronic Article %A Haichang Gao %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %A Xuqin Wang %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %A Fang Cao %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %A Zhengya Zhang %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %A Lei Lei %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %A Jiao Qi %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %A Xiyang Liu %+ School of Software, Institute of Software Engineering, Xidian University, 710071 Xi'an, Shaanxi, People's Republic of China %K hollow CAPTCHA %K success rates %K Web sites %K Yandex CAPTCHA %K systematic analysis %K text-based CAPTCHA %K text-based completely automated public turing test robustness %K undesirable malicious bot programmes %K attack method %K ReCAPTCHA %K nonhollow CAPTCHA %K attack improvement %X Text-based completely automated public turing tests to tell computers and humans apart (CAPTCHAs) have been widely deployed across the Internet to defend against undesirable or malicious bot programmes. In this study, the authors provide a systematic analysis of text-based CAPTCHAs and innovatively improve their earlier attack on hollow CAPTCHAs to expand applicability to attack all the text CAPTCHAs. With this improved attack, they have successfully broken the CAPTCHA schemes adopted by 19 out of the top 20 web sites in Alexa including two versions of the famous ReCAPTCHA. With success rates ranging from 12 to 88.8% (note that the success rate for Yandex CAPTCHA is 0%), they demonstrate the effectiveness of their attack method. It is not only applicable to hollow CAPTCHAs, but also to non-hollow ones. As their attack casts serious doubt on the viability of current designs, they offer lessons and guidelines for designing better text-based CAPTCHAs. %@ 1751-8709 %T Robustness of text-based completely automated public turing test to tell computers and humans apart %B IET Information Security %D January 2016 %V 10 %N 1 %P 45-52 %I Institution of Engineering and Technology %U https://digital-library.theiet.org/;jsessionid=16pex44vwfa9c.x-iet-live-01content/journals/10.1049/iet-ifs.2014.0381 %G EN