Researchers: Microsoft's CAPTCHAs Easy to Solve

[David Farber <dave () farber net>]

________________________________________
From: Brian Randell [Brian.Randell () ncl ac uk]
Sent: Wednesday, April 16, 2008 5:44 AM
To: David Farber
Subject: Researchers: Microsoft's CAPTCHAs Easy to Solve

Hi Dave:

Work by a colleague of mine that you might find of interest:

> Microsoft's system to thwart automatic registrations of e-mail
> accounts leads to "a false sense of security," according to two
> researchers who have developed a low-cost way to break the security
> mechanism.
>
> Jeff Yan and Ahmad Salah El Ahmad of the School of Computing Science
> at Newcastle University in the U.K. wrote in a research paper that
> their method can solve around 60 percent of Microsoft's CAPTCHAs
> used for validating registrations for its Windows Live Mail service.
>
> A CAPTCHA (Completely Automated Public Turing test to Tell Computers
> and Humans Apart) is the distorted text that a person must decipher
> in order to be allowed to register for an e-mail account or perform
> other actions, such as post a comment, on a Web site. It's designed
> to prevent hackers from using automated tools for abusive purposes.
>
> Microsoft could make its CAPTCHAs harder to solve for computers by,
> for instance, letting letters overlap, but that also makes it harder
> for people, said Yan, who lectures at the University of Newcastle.
>
> As of the last few months, CAPTCHAs have been become increasingly
> ineffective. The CAPTCHA systems used by free e-mail providers such
> as Microsoft, Google and Yahoo have been solved on a mass scale,
> leading to an increase in spam originating from their domains.
>
> Details are scarce on how hackers are solving the CAPTCHAs in great
> numbers. It has been suspected that low-wage CAPTCHA solvers are
> being employed in order to get a steady stream of new e-mail
> accounts.
>
> Yan and El Ahmad started their work in mid-2007. Microsoft was
> notified of the problems outlined in their paper in September 2007.
> The researchers released the paper a few days ago with Microsoft's
> blessing.
>
> Overall, Microsoft's CAPTCHA system is well designed, and the
> company even holds three patents related to it, they wrote. But
> designing a fool-proof CAPTCHA system isn't easy.
>
> "To the best of our knowledge, this for the first time shows that a
> CAPTCHA that was carefully designed by serious professionals...is
> nevertheless vulnerable to novel but simple attacks," Yah and El
> Ahmad wrote.
>
> In February, it was discovered that hackers were using a method that
> appeared to have a 30 percent to 35 percent success rate in solving
> the CAPTCHA used for Windows Live Hotmail.
>
> Using their own analysis and algorithms, Yan and El Ahmad have
> almost doubled the success rate of the February attacks.
>
> One of the hardest parts of breaking CAPTCHAs is separating the
> letters and putting the letters in the right order, a process known
> as segmentation. The twisting, wispy letters are confusing to
> machines, and humans are much better at sorting out extraneous lines.
>
> Yan and El Ahmad's analysis was performed with off-the-shelf
> hardware: a 1.86 GHz Intel Core 2 Duo CPU (central processing unit)
> with 2G bytes of RAM. Their seven-step method is capable of removing
> "arcs" or strokes that link letters and make letters hard to isolate.
>
> Ninety-two percent of the time, they could isolate each of the eight
> characters used for Microsoft's CAPTCHA. Combined with character
> recognition techniques, the CAPTCHAs could be solved 61 percent of
> the time.
>
> Their method also works against the latest CAPTCHAs deployed by
> Yahoo last month, although the success rates are not as high. Yan
> said he will soon release another research paper looking at Yahoo's
> CAPTCHAs.
>
> Of the big three-- Yahoo, Microsoft and Google-- Google seems to
> have the most effective CAPTCHAs right now due to the difficulty
> automated programs have in separating the characters, Yan said.
>
> "Actually I think at a high level, the idea of a CAPTCHA is a good
> one, but the devil is in the details," Yan said.

http://news.yahoo.com/s/pcworld/20080415/tc_pcworld/144585


Cheers

Brian

--
School of Computing Science, Newcastle University, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell () ncl ac uk   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/people/brian.randell

-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com