Researchers defeat CAPTCHA on popular websites
New tool is capable of solving CAPTCHA tests on Wikipedia, eBay, CNN and others
IDG News Service - Researchers from Stanford University have developed an automated tool that is capable of deciphering text-based anti-spam tests used by many popular websites with a significant degree of accuracy.
Researchers Elie Bursztein, Matthieu Martin and John C. Mitchel presented the results of their year-and-a-half long CAPTCHA study at the recent ACM Conference On Computer and Communication Security in Chicago.
CAPTCHA stands for 'Completely Automated Public Turing test to tell Computers and Humans Apart' and consists of challenges that only humans are supposed to be capable of solving. Websites use such tests in order to block spam bots that automate tasks like account registration and comment posting.
There are various types of CAPTCHAs, some using audio, others using math problems, but the most common implementations rely on users typing back distorted text. The Stanford team devised various methods of cleaning up purposely introduced image background noise and breaking text strings into individual characters for easier recognition, a technique called segmentation.
Some of their CAPTCHA-breaking algorithms are inspired by those used by robots to orient themselves in various environments and were built into an automated tool dubbed Decaptcha. This tool was then run against CAPTCHAs used by 15 high-profile websites.
The results revealed that tests used by Visa's Authorize.net payment gateway could be beaten 66% of the time, while attacks on Blizzard's World of Warcraft portal had a success rate of 70%.
Other interesting results were registered on eBay, whose CAPTCHA implementation failed 43% of the time, and on Wikipedia, where one in four attempts was successful. Lower, but still significant, success rates were found on Digg, CNN and Baidu -- 20, 16 and 5% respectively.
The only tested sites where CAPTCHAs couldn't be broken were Google and reCAPTCHA. The latter is an implementation originally developed at Carnegie Mellon University and bought by the Internet search giant in September 2009.
Authorize.net and Digg have switched to reCAPTCHA since these tests were performed, but it's not clear if the other websites made changes as well. Nevertheless, the Stanford researchers came up with several recommendations to improve CAPTCHA security.
These include randomizing the length of the text string, randomizing the character size, applying a wave-like effect to the output and using collapsing or lines in the background. Another noteworthy conclusion was that using complex character sets has no security benefits and is bad for usability.
Bursztein and his team have also had other breakthroughs in this field in the past. Back in May, they developed techniques to successfully break audio CAPTCHAs on sites like Microsoft, eBay, Yahoo and Digg and they plan to continue improving their Decaptcha tool in the future.
- SIP Migration: Addressing CIOs' Concerns Recent data from IDG Research shows that many IT executives are counting on SIP to help them meet employee efficiency and customer experience...
- City Solved Network Mystery - Saves $30K The City of Jacksonville put their hunch to work and not only solved a mystery, but found a new and innovative use for...
- Using Video to Gain a Competitive Advantage: A Business Strategy for Mid-Market Companies The insights provided in this white paper are based on industry analysts and 30+ years of experience from the Video Collaboration Group at...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Network Security White Papers | Webcasts