Captcha security

Outsmarted: Captcha security not much of a gotcha article tells that a team of Stanford University researchers has bad news to report about Captchas, those often unreadable, always annoying distorted letters that you’re required to type in at many a Web site to prove that you’re really a human. Captcha is often used to defend against malicious ‘bots, including operators of botnets who try to automatically create accounts on Web e-mail services to send spam.

Modern-captcha

Many Captchas don’t work well at all. More precisely, the researchers invented a standard way to decode those irksome letters and numbers found in Captchas on many major Web sites. Fortunately for normal users and the owners of those web sites the researches have no plans to release their Decaptcha. This gives the Captha users some time to fix their systems before the “bad guys” can work out their own decaptha program (trust me, it will happen sooner or later).

The major problem according to the researches is that most Captchas are designed without proper testing and no usability testing and are fundamentally unable to fully guarantee application security. Capatcha was always doomed to degrade over time, so they need to evolve. Even there are considerable problems, Captchas are still useful for protecting against certain threats.

Google’s slanted-red-letters Captcha (used in Gmail) and the fuzzy-lettered ReCaptcha was found to be pretty secure against the attacks (everything else tested much less secure). Free ReCaptcha is used by what Google estimates to be over 100,000 Web sites including Twitter, Facebook, Craigslist, Ticketmaster, and Microsoft. If you are looking for Captcha solution, try fuzzy-lettered ReCaptcha and do try to make your own weaker solution. For more details read The Robustness of Google CAPTCHAs paper.

5 Comments

  1. Jenafe says:

    I am not against with the used of captcha. It just that sometimes, even you are sure enough that you entered the right entry but still they will found it wrong. It is not a problem if you are just wasting your time typing those captcha.

    Jenafe

    Blog: armoire chambre enfant 

    Reply
  2. Tomi Engdahl says:

    Are You a Human replaces annoying CAPTCHAs with games
    http://venturebeat.com/2012/05/21/are-you-a-human-replaces-annoying-captchas-with-games/

    Websites need to verify that a visitor is a real person and not an automated bot. But the CAPTCHA test that they came up with — where you have to type in the word that you see in a blurry distorted font image — is extremely annoying and often leads to multiple failures.

    So a Detroit-based startup, Are You a Human, is replacing the CAPTCHA with simple minigames instead. It is releasing its human authentication tool, PlayThru, to help companies fight spammers and bots that have begun to circumvent CAPTCHAs.

    On top of that, CAPTCHAs are frustrating to users who can’t discern the distorted text. About 20 percent of the users will leave a site rather than complete a CAPTCHA, according to the company’s research.

    With Are You a Human’s tool, companies can embed a simple game instead. For instance, one minigame requires users to look at a set of five images and pick up the two tools and put them in a tool box. Or the user can drag and drop toppings onto a pizza. Since the games are dynamic and always changing, they are hard for computers to solve but easy for people to complete. PlayThru can improve security and entertain users at the same time, and it works easily on touchscreen smartphones. The company’s own survey of 1,000 users showed that they preferred PlayThru four-to-one over traditional text-based CAPTCHAs. Sites using it have seen their submission rates go up by 40 percent.

    “Text-based CAPTCHAs are difficult to decipher and easy to break, which forces them to become increasingly more difficult to solve,”

    “This vicious cycle makes it frustrating for users, who many times will give up before following through to a site.”

    Reply
  3. Tomi Engdahl says:

    How a trio of hackers brought Google’s reCAPTCHA to its knees
    Hackers exploit weaknesses in Google’s bot-detection system with 99% accuracy.
    http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

    Google revamped its reCAPTCHA system, used to block automated scripts from abusing its online services, just hours before a trio of hackers unveiled a free system that defeats the widely used challenge-response tests with more than 99 percent accuracy.

    Stiltwalker, as the trio dubbed its proof-of-concept attack, exploits weaknesses in the audio version of reCAPTCHA, which is used by Google, Facebook, Craigslist and some 200,000 other websites to confirm that humans and not scam-bots are creating online accounts. While previous hacks have also used computers to crack the Google-owned CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) system, none have achieved Stiltwalker’s impressive success rate.

    Stiltwalker’s success exploits some oversights made by the designers of reCAPTCHA’s audio version, combined with some clever engineering by the hackers who set out to capitalize on those mistakes. The audio test, which is aimed at visually impaired people who have trouble recognizing obfuscated text, broadcasts six words over a user’s computer speaker. To thwart word-recognition systems, reCAPTCHA masks the words with recordings of static-laden radio broadcasts, played backwards, so the background noise would distract computers but not humans.

    What the hackers—identified only as C-P, Adam, and Jeffball—learned from analyzing the sound prints of each test was that the background noise, in sharp contrast to the six words, didn’t include sounds that registered at higher frequencies. By plotting the frequencies of each audio test on a spectrogram, the hackers could easily isolate each word by locating the regions where high pitches were mapped.

    Reply
  4. Tomi Engdahl says:

    CAPTCHA-busting villains branch out from spam into ID theft
    ‘CAPTCHA in the Rye’ report delivers captcha and verse
    http://www.theregister.co.uk/2012/06/18/captcha_buster_study/

    The cybercrooks attempting to defeat CAPTCHAs are no longer just traditional junk-mailers who want to get around the test to send spam. In a recent study, security researchers have discovered that criminals are also using circumvention techniques in attacks that harvest financial or personal data.

    Hackers have developed numerous methods to bypass CAPTCHAs, including computer-assisted tools and crowd-sourcing, creating a cat-and-mouse game between miscreants and CAPTCHA providers such as Google and others.

    Junk mailers, for example, are interested in defeating CAPTCHA challenges in order to establish webmail accounts for subsequent spam runs. Last weekend spammers managed to spam the UK’s open data website by circumventing its CAPTCHA gateway in a slightly more sophisticated variant of the same play.

    How do they do it?

    Hackers are using computer-assisted tools based on optical character recognition or machine learning technologies as well as tools which outsource CAPTCHA-breaking to modern day sweatshops, typically located in India. More recently miscreants have begun hoodwinking naive users into being a part of the crowd sourced for CAPTCHA solutions. These crowd-sourcing techniques sometimes pose as CAPTCHA-busting games that reward players. Some CAPTCHA-busting sites offer free porn as an incentive.

    Attacks based on CAPTCHA-busting have now been used to access a system for filing financial status reports maintained by one of the central banks in Argentina. Criminals have also launched attacks designed to obtain tax details associated with a Brazilian social security number. Hackers have also targeted the website of an agency in charge of the voting process in Brazil. All three sets of attacks are likely one important part in a more elaborate set of scams, most likely involving ID theft.

    “CAPTCHA security, like many other security segments, is a battle of innovation between hackers and security professionals,” said Amichai Shulman, CTO of Imperva. “CAPTCHA security must be balanced against a positive user experience, but can readily be improved by deploying anti-automation solutions to help prevent hackers from employing anti-CAPTCHA tools.”

    Reply
  5. youlikehits software says:

    Hello there very nice site! Gentleman. Excellent. Awesome. I am going to save your blog post and take the for moreover? Now i’m pleased to get a wide range of helpful info in this article inside the placed, we would like come up with added tactics with this value, thanks for giving.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*