November 3, 2011 report
Stanford researchers outsmart captcha codes
(PhysOrg.com) -- Stanford researchers say that captcha security codes, asking Internet sign-up users to repeat a string of letters to prove the users are human, can be thwarted, and they have successfully defeated captcha at big name sites such as Visa, CNN, and eBay as proof. In fact, they found that thirteen out of 15 high-profile sites were vulnerable to automated attacks.
Captcha stands for Completely Automated Public Turing Test to tell Computers and Humans Apart. This is a test that a Carnegie Mellon University computer science graduate student and his advisor created in 2000 as a security tool to safeguard web sites from automated bot attacks and spammers.
Simply put, the test was supposed to be passable by humans, not machines. The Stanford team, however, found that its own anti-spam tool-breaker was able to kill off captchas protective cover.
The researchers Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory, Matthieu Martin, and John C. Mitchell were able to crack the codes. In their study, they note that site owners should be taking a closer look at their captchas:
As we substantiate by thorough study, many popular websites still rely on schemes that are vulnerable to automated attacks. For example, our automated Decaptcha tool breaks the Wikipedia scheme... approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas.
The Stanford automated tool, Decaptcha, involved removal of image background noise and breaking text strings into single characters for easier recognition. This tool was run in selected websites. Visa's Authorize.net payment gateway was defeated 66 per cent of the time. eBay's captcha was sidestepped 43 per cent of the time. Lower thwart rates were recorded at Wikipedia, Digg and CNN.
Google and reCAPTCHA were the only two that beat out the Stanford teams automated tool--no gotchas for either one.
Interestingly, reCAPTCHA also has its roots at Carnegie Mellon, and it was developed as a step up from captcha. The reCAPTCHA project sought further protective distortions with random warping and lines for something that would be readable by humans but more complex.In 2009, Google acquired reCAPTCHA.
As for other sites using captcha, the three researchers in their paper suggest various ways that captcha can be harder to outsmart.The Stanford team presented results of their research last month at the CCS 2011 (the ACM Conference on Computer and Communication Security) in Chicago.
Whats more, Visas Authorize.net and Digg have switched to reCAPTCHA since these tests were performed.
© 2011 PhysOrg.com