November 3, 2011 report
Stanford researchers outsmart captcha codes
Captcha stands for Completely Automated Public Turing Test to tell Computers and Humans Apart. This is a test that a Carnegie Mellon University computer science graduate student and his advisor created in 2000 as a security tool to safeguard web sites from automated bot attacks and spammers.
Simply put, the test was supposed to be passable by humans, not machines. The Stanford team, however, found that its own anti-spam tool-breaker was able to kill off captcha’s protective cover.
The researchers Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory, Matthieu Martin, and John C. Mitchell were able to crack the codes. In their study, they note that site owners should be taking a closer look at their captchas:
“As we substantiate by thorough study, many popular websites still rely on schemes that are vulnerable to automated attacks. For example, our automated Decaptcha tool breaks the Wikipedia scheme... approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas.”
The Stanford automated tool, Decaptcha, involved removal of image background noise and breaking text strings into single characters for easier recognition. This tool was run in selected websites. Visa's Authorize.net payment gateway was defeated 66 per cent of the time. eBay's captcha was sidestepped 43 per cent of the time. Lower thwart rates were recorded at Wikipedia, Digg and CNN.
Google and reCAPTCHA were the only two that beat out the Stanford team’s automated tool--no gotchas for either one.
Interestingly, reCAPTCHA also has its roots at Carnegie Mellon, and it was developed as a step up from captcha. The reCAPTCHA project sought further protective distortions with random warping and lines for something that would be readable by humans but more complex.In 2009, Google acquired reCAPTCHA.
As for other sites using captcha, the three researchers in their paper suggest various ways that captcha can be harder to outsmart.The Stanford team presented results of their research last month at the CCS 2011 (the ACM Conference on Computer and Communication Security) in Chicago.
What’s more, Visa’s Authorize.net and Digg have switched to reCAPTCHA since these tests were performed.
Explore further
© 2011 PhysOrg.com
User comments
Exactly, there's far more money at stake in developing bots that can beat these tests than was at the disposal of the researchers at the university.
This result does have value as an indication of how captcha codes can be beaten with relatively little effort. This strongly implying that those who can gain money from it will be happy to devote even greater resources to it.
Plus, there's a nearly foolproof method of beating these tests. One can capture the image (or whatever form the test is manifested as) and present it to a real human for deciphering. There are sites that offer free content (porn, etc) in return for solving a page full of captchas. With enough traffic, these systems (which do indeed exist) can bypass thousands of captchas per hour.
Unfortunately, Spam is here to stay.
As a Firefox user, I would applaud this. I'm all for security, and use a lot of tools myself. But, captchas are in that category of tools that are so annoying they likely inhibit the goals of the sites that use them - namely, useage of the site.
Also, any captcha that can be deciphered by a human can be broken - There are plenty of dark sites on the internet that ask you to "do a captcha" to see or do something on it - when really the captcha is from another site that someone is trying to spambot. They just side-step the issue and have a person do it for them. You're not going to let a capcha get in between you and your Jessica Alba picture are you?
Because moving pixels are ever so easy for an algorithm to catch and remove or vice versa. Or any combination of that you would want to do.
Quite simply, any captcha that had any kind of pixel transformation that applied differently to the masking part and the characters would be the simplest type for a program to separate and break.
That's why captchas are generally static and black and white.
That way, the hacking software would need to perform feature extraction, character recognition and a math solver.
Mind you, it would probably also tick off even more human users!
This way, no computer can tell the captcha unless they manage to capture all the parts. Just capturing the moving pixels alone wouldn't help.
Excuse my programmer like thinking. I am one!
That will mean that AI is just around the corner at that point!
Eventually we need to have problems that take strong AI to solve - and once they get broken - well, Mission Fucking Accomplished http://xkcd.com/810/
I thought since stochastic resonance actually allows better visual processing of detail in humans, ie " visual static, or visual snow ", why couldn't it be used as an overlay for captcha images ?
I think it would make it extremely difficult for current AI to get around.
http://www.youtub...duEEoCaA
I really think that you're looking at it the wrong way. Consider if the background is moving and the image is not - an algorithm can easily pick up that certain pixels change, while others do not. That is the crux of the problem. If there is anything that happens where some pixels are changed but others are changed in a different way, or some are color, and others are not, then it is really easy to pick those out and isolate or remove them.
To an algorithm, you have to have the relavent pixels and the masking pixels seem exactly the same. The same color scheme, the same movement. If any movement or color applies differently to the captcha and the background, then it can be picked out.
But if it applies exactly the same to all areas, then it doesn't really help people.
Please sign in to add a comment. Registration is free, and takes less than a minute. Read more