Audio captchas: most can be cracked
Source: Google A team of researchers at Stanford University has developed a system that can be used to crack the audio captchas used by many web sites. Captchas (Completely Automated Public Turing test to tell Computers and Humans Apart) are used as a protection against automated scripts when, for example, creating mail accounts and to thwart spammers. The most common captchas are visual and consist of an image of a string of text that has to be recognised by the user and entered. This is easy for a user to do, but much more difficult for a script.
For those who are visually impaired and find reading a visual captcha difficult, an alternative exists in the form of audio captchas; in these the string of letters and numbers are sent in an audio file which is then played to the user. To make it difficult for automatic speech recognition systems to understand the captchas, audio noise is usually added to the captcha. The researchers point out that audio captchas might be weaker than their visual equivalents due to human physiology. The human visual system is much more complex than the audio system, and on the other hand modern signal processing systems are advanced. As a consequence, "the difference between human and computer audio capabilities is likely significantly less than the difference between human and computer visual processing"
According to the researchers, adding noise to a captcha is not enough to reliably interfere with automatic recognition. They have developed software called Decaptcha which filters out background noise, separates the likely characters and digits and recognises them after a training phase with a 50 per cent probability. The researchers used various methods and algorithms, which they describe in the paper "The Failure of Noise-Based Non-Continuous Audio Captchas" . The web sites of companies such as Microsoft and Yahoo would offer very little resistance to spammers who used techniques similar to those the researchers have developed.
Their software successfully decoded Microsoft's audio captcha about 50 per cent of the time. Of the systems they tested, the most difficult was that from reCAPTCHA, whose captchas were recognised only about 1 per cent of the time. However, this small success rate is considered high risk for sites such as YouTube and Facebook, "that get hundreds of millions of visitors each day."
According to the researchers, the reason Google's reCAPTCHA is the one exception is that this introduces semantic noise into the captcha – sounds with meaning, such as song lyrics or background conversations. This upsets the filtering ability of Decaptcha. The researchers recommend that providers of audio captchas perform further research in this field in order to make the process more robust.
- Google acquires reCAPTCHA, a report from The H.