CAPTCHA schemes still easy to bypass
Security researchers at Stanford University have found that the vast majority of text-based anti-spam tests are easily bypassed. They cracked the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) mechanisms of several popular web sites.
These security schemes have been used to distinguish humans from bots for a number of years. Apart from text-based techniques, various other methods involving, for example, cat pictures, audio clips or maths puzzles exist to prevent automated spam bots from logging into web sites and provide protection against abuse.
In their "Text-based CAPTCHA Strengths and Weaknesses" research paper, the Stanford team investigated whether CAPTCHA schemes can be cracked using a fully automated process. The custom "Decaptcha" tool they developed managed to outsmart 13 out of 15 popular CAPTCHA web sites. The researchers tested the query mechanisms of such sites as Google, eBay and Wikipedia. Only Google's CAPTCHA and the reCAPTCHA systems managed to withstand the attacks.
The team achieved higher detection rates by removing intentionally introduced background distortions, and by separating character sequences into individual characters. This enabled them to achieve a detection rate of 66 per cent when attacking Visa's Authorize.net. They bypassed eBay's CAPTCHA system in 43 per cent of cases. With Wikipedia, Digg and CNN, they were less successful but still managed to achieve usable results.
The Stanford team also made recommendations on how to improve CAPTCHA generation. For example, they said that CAPTCHA text length should vary, and that fonts and sizes should be random. The researchers also mentioned techniques that make it more difficult for users to recognise the characters but don't present an obstacle for automated attacks. Talking to The H's associates at heise Security, they compared CAPTCHAs to cryptography systems: Once they've been cracked, they must be replaced with a new one.