This is not a real shock to be if I’m perfectly honestly, I only use reCAPTCHA whenever I need a CAPTCHA implementation for anything.
And well even then, it’s not totally safe as apparently you can farm out your CAPTCHA cracking (those the fail the automated attempts) to India for a few dollars. It does help cut down on sign-ups and bot spam – but it’s certainly not fool proof.
The report just reinforces my stance proving that 13 out of 15 popular captures could be cracked with automated software.
Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated.
Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has been used for several years to prevent automated sign-ups to webmail accounts or online forums in order to block spam bots. Surfers are typically asked during a registration process to identify distorted letters as depicted in an image. A variety of other approaches – including pictures of cats, audio clips and calculus puzzles – have been applied to the problem over the years.
Cybercrooks have responded to the challenge posed by CAPTCHAs by devising techniques that typically involve semi-automatically signing up for new accounts, while relying on the human cogs in 21st century sweatshops – typically located in India – to solve the CAPTCHA puzzles themselves.
The Stanford team, by contrast, looked at whether it was possible to fully automate the process of breaking CAPTCHAs. Their techniques including removing deliberately introduced image background noise and breaking text strings into single characters for easier recognition. The team built an automated tool, called Decaptcha, that applied these various tricks. The approach was partially inspired by techniques used to orientate robots in unknown environments.
It’s interesting to see an academic take on this subject though as it’s usually the realm of blackhats and hobbyists. I’m sure with a fair bit of science they did an excellent job at removing the ‘noise’ that most CAPTCHA systems tend to add to the image to try and foil automatic solving.
I’m also glad to see reCAPTCHA once again stood up well to automated cracking, you’d have to rely on the sweatshops to get past that.
The worst seems to be Authorize.net from VISA – which is surprising and also sad as it’s dealing with banking.
Decaptcha was turned against the challenge response CAPTCHAs used by 15 high-profile websites, enjoying excellent bowling figures against the majority.
For example, Visa’s Authorize.net payment gateway CAPTCHA was defeated 66 per cent of the time. eBay’s CAPTCHA was sidestepped 43 per cent of the time. Lower, but still workable, bypass rates were achieved against Wikipedia, Digg and CNN.
Google and reCAPTCHA were the only two CAPTCHA systems that consistently thwarted Decaptcha during the tests.
Authorize.net and Digg have both switched to reCAPTCHA since these tests were run, Computerworld adds.
In a research paper (PDF), the Stanford team suggest several approaches towards making CAPTCHAs harder to beat, including making the length of a text string changeable and randomising character font and size. Lines in the background of CAPTCHAs might also prove effective. In addition, the Stanford team highlighted features that are ineffective against automated attacks but may counter the activities of humans.
The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel, who previously developed techniques for breaking audio CAPTCHAs, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.
Fortunately both Authorize.net and Digg have switched to reCAPTCHA since this report came out making them safer, it’s probably a case of responsible disclosure by the Stanford scientists.
It’s definitely worth a read if you have anything to do with CAPTCHA implementation and especially relevant if you are thinking of developing your own rather than just using something like reCAPTCHA.
You can grab the full report here:
Source: The Register