CAPTCHA Struggles Against Attacks and Tries to Evolve

Carl Weinschenk

Eleven years ago this month, a melancholy milestone was reached when IBM's Deep Blue computer beat world chess champion Garry Kasparov. The eternal struggle of humans against machines as personified in Kasparov's loss and the philosophical hand-wringing that followed comes to mind in relation to this posting by Nicholas Carr. He says some experts are concluding that attempts to crack "CAPTCHA" security are being done entirely by machines.

CAPTCHAs -- it stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart -- are the swirly series of characters users often are asked to type in to gain access to certain areas or do business on Web sites.

Carr's post is a response to a Washington Post story that details the issue. In the past, Carr writes, it was thought that people in developing countries were manually typing in character combinations to try to defeat CAPTCHA functions. Recent findings by Websense suggest, however, that the CAPTCHA is being attacked without human intervention, though it is unclear how this is happening.

CAPTCHA is attracting a lot of attention. discusses the cracking of the version of CAPTCHA aimed at the sight-challenged. The piece drills down to the Gmail version; it is unclear if the exploit described extends to other audio-enhanced versions of CAPTCHA. In any case, the Gmail CAPTCHA consists of a female voice saying a series of letters surrounded by what the writer says is "creepy" noise he likens to "I am the Walrus" and "The Exorcist." It is repeated, and the user asked to type in the letters they hear. The firm Wintercore did a waveform analysis and noticed that the noise and letters were clearly distinguishable, which makes the system easy to break.

This Wired posting poses the question of whether CAPTCHA is becoming antiquated. The answer, apparently, is a qualified "no." That is not to say that it isn't in danger. The writer links to a page he found last year that quotes prices for automated decoding of different types of CAPTCHA programs. Google, Yahoo and Hotmail were assessed to be "very difficult" to defeat -- and just that happened this year.

It is not hopeless, however. The blogger points to ReCaptcha, HotCaptcha and KittenAuth as promising approaches. He doesn't describe them in detail, but does provide links. This Microsoft page looks at another approach, Animal Species Image Recognition for Restricting Access (ASIRRA). A related approach is GWAP (Games With a Purpose). The system leverages games played by site visitors to train computers to react more "intelligently." GWAP launched this week, and a member of the ReCaptcha team is on board.

Another sign that CAPTCHA is severely challenged comes in research from Newcastle University. If the string being used as the CAPTCHA is segmented -- broken up into its individual letters, for instance -- is it relatively easy to circumvent, according to Techworld. For that reason, vendors employ CAPTCHAs that are resistant to segmentation. The bad news for CAPTCHA is that the researchers developed a way to successfully segment the images more than 90 percent of the time.

Add Comment      Leave a comment on this blog post
May 21, 2008 1:45 AM Napoleon Courtney Napoleon Courtney  says:
I've suspected for sometime that someone had found a way to circumvent CAPTCHA using a software algorithm or even cutting edge video imaging hardware. Reply
May 22, 2008 12:56 PM Zhao Wei Zhao Wei  says:
actually there is already a way to break this in practice, its combined with human and automatic program. what it works,1. capture captcha image from another website in realtime2. entice some ppl to input the info and masked as a different web page, quite typically a porn site or something ppl are willing to go into3. once receive it human input, the system will make use it to attack the victim site.hope this helps Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.