Tool Can Beat CAPTCHA

Thursday, November 3, 2011 @ 03:11 PM gHale

There is now an automated tool capable of deciphering text-based anti-spam tests used by popular websites.

The tests, called CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart,” consists of challenges only humans should be capable of solving. It is a test used as an attempt to ensure the response is coming from a person. The process usually involves one computer asking a user to complete a simple test which the computer is able to generate and grade. CAPTCHA sites use such tests in order to block spam bots that automate tasks like account registration and comment posting.

Paper Sensor Detects Explosives
Smartphones Get Smarter, Stealthier
Safety Plus: Seeing Through Solid Walls
Technology Keeps Private Data Private

Elie Bursztein, Matthieu Martin and John C. Mitchel, all researchers from Stanford Universtiy, presented the results of their year-and-a-half long CAPTCHA study at the ACM Conference on Computer and Communication Security in Chicago.

There are various types of CAPTCHAs, some using audio, others using math problems, but the most common implementations rely on users typing back distorted text. The Stanford team devised various methods of cleaning up purposely introduced image background noise and breaking text strings into individual characters for easier recognition, a technique called segmentation.

Some of their CAPTCHA-breaking algorithms got their inspiration from those used by robots to orient themselves in various environments. They ended up built into an automated tool dubbed Decaptcha. This tool then ran against CAPTCHAs used by 15 high-profile websites.

The results revealed researchers could beat tests used by Visa’s payment gateway 66% of the time, while attacks on Blizzard’s World of Warcraft portal had a success rate of 70%.

Other results came from eBay, whose CAPTCHA implementation failed 43% of the time, and on Wikipedia, where one in four attempts was successful. Lower, but still significant, success rates were on Digg, CNN and Baidu — 20, 16 and 5% respectively.

The only tested sites where they couldn’t break CAPTCHAs were Google and reCAPTCHA. The latter is an implementation originally developed at Carnegie Mellon University and bought by the Internet search giant in September 2009. and Digg have switched to reCAPTCHA since these tests, but it’s not clear if the other websites made changes as well. Nevertheless, the Stanford researchers came up with several recommendations to improve CAPTCHA security.

These include randomizing the length of the text string, randomizing the character size, applying a wave-like effect to the output and using collapsing or lines in the background. Another noteworthy conclusion was using complex character sets has no security benefits and is bad for usability.

Leave a Reply

You must be logged in to post a comment.