Feeds

Researchers find irreparable flaw in popular CAPTCHAs

Decaptcha pierces Live.com, Yahoo!, Digg

Top three mobile application threats

Computer scientists have developed software that easily defeats audio CAPTCHAs offered on account registration pages of a half-dozen popular websites by exploiting inherent weaknesses in the automated tests designed to prevent fraud.

Decaptcha is a two-phase audio-CAPTCHA solver that correctly breaks the puzzles with a 41-percent to 89-percent success rate on sites including eBay, Yahoo, Digg, Authorize.net, and Microsoft's Live.com. The program works by removing background noise from the audio files, allowing only the spoken characters needed to complete the test to remain.

In virtually all of the tests, Decaptcha was able to correctly solve the puzzle at least once in every 100 attempts, making the technique suitable for botmasters with large armies of compromised computers. The high success rate was largely the result of the ease in removing sound distortions known as background noise, intermediate noise, and constant noise inserted into the background to throw off speech-recognition programs. Most audio-based CAPTHA systems are wide open to the attack with the notable exception of the Google-owned Recaptcha.net, which uses a different approach known as semantic noise.

"Our results indicate that non-continuous audio captcha schemes built using current methods (without semantic noise) are inherently insecure," the scientists wrote in a recently published research paper. "As a result, we suspect that it may not be possible to design secure audio captchas that are usable by humans using current methods. It is therefore important to explore alternative approaches."

Decaptcha uses a supervised algorithm that must be trained for each CAPTCHA scheme being targeted. Training requires feeding a set of puzzles with their answers into the program. Eventually, Decaptcha was able to identify the sound shapes in the underlying audio file by comparing them to a large sample of sounds already cataloged. The researchers generated 4.2 million audio CAPTCHAs.

The paper is only the latest reminder of the flaws in CAPTCHAs, which are designed to prevent scripts from registering email accounts, and carrying out other automated attacks, by presenting the user with a problem that's hard for computers to solve. Real-world attacks against audio-CAPTCHAs from Microsoft have already been used by the Pushdo spam botnet to create fraudulent email accounts on Live.com. More traditional CAPTCHAs, which require a user to recognize a word buried in a distorted image, have been successfully defeated for years, with one of the more recent examples being an optical character recognition attack on Google.

After attacks come to light, website operators typically make changes that block specific technique. Researchers then revise their attacks, requiring more changes to be made in the targeted CAPTCHA schemes.

The latest research suggests web developers may have to make permanent changes to the audio CAPTCHAs, which are offered for visually impaired users.

"Our experiments with commercial and synthetic captchas indicate that the present methodology for building audio captchas may not be rectifiable," they wrote. "Besides Recaptcha, all of the commercial schemes we tested used combinations of constant and regular noise as distortions. All in all, computers may actually be more resilient than humans to constant and regular noise so any schemes that rely on these distortions will be inherently insecure."

The paper was authored by Elie Bursztein, Hristo Paskov, and John Mitchell of Stanford University, Romain Beauxis of Tulane University, Daniele Perito of INRIA and Celine Fabry. A PDF of the report is here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.