Invisible CAPPCHA: A usable mechanism to distinguish between malware and humans on the mobile IoT

摘要

Smartphone devices are often assuming the role of edge systems in mobile IoT scenarios and the access to cloud-based services through smartphones, for transmitting multiple sensory data related to human activities, often implying some lawful evidence, has become increasingly common. Thus the need for protecting such transactions from abuses and frauds based on automation techniques is now a critical issue. The most widely adopted method to prevent unauthorized access and abuse of a service by malicious software automation is CAPTCHA. However, trying to strengthen CAPTCHA resilience to automated attacks has led to challenges that, while still being vulnerable, are both difficult and unpleasant for humans. Hence, the strong need for a mechanism that is both secure and usable. In this paper, we present Invisible CAPPCHA, a mechanism that, leveraging trusted sensors embedded in a secure element located on a smartphone is capable of separating humans from computers in a way that is completely transparent to users. Furthermore, as no challenge is required, no additional time is needed and the user cannot fail it by mistake. Compared to the state of the art, our proposal is both secure and more user friendly, lending itself optimally to secure mobile cloud services. (C) 2018 Elsevier Ltd. All rights reserved.