Microsoft's CAPTCHA successfully broken

Microsoft's CAPTCHA successfully broken

Summary: UPDATE: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers. Jeff Yan and Ahmad Salah El Ahmad, at the School of Computing Science, Newcastle University, England recently published a research paper entitled "A Low-cost Attack on a Microsoft CAPTCHA", demonstrating how they've managed to attack the Microsoft's CAPTCHA used on several of their online services such as Hotmail and Windows Live, with over 92% recognition rate.

SHARE:
TOPICS: Security
0

UPDATE: Gmail, Yahoo and Hotmail's CAPTCHA broken by spammers. Jeff Yan and Ahmad Salah El Ahmad, at the School of Computing Science, Newcastle University, England recentlyMicrosoftÂ’s CAPTCHA published a research paper entitled "A Low-cost Attack on a Microsoft CAPTCHA", demonstrating how they've managed to attack the Microsoft's CAPTCHA used on several of their online services such as Hotmail and Windows Live, with over 92% recognition rate. Here's a summary of the research :

In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that "automatic scripts should not be more successful than 1 in 10,000" attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

Realizing the potential for massive abuse from spammers, the researchers notified Microsoft in Sept, 2007 then awaited the response publishing the paper last month. Even though they've scientifically justified their success, the CAPTCHAs used on some of the most popular Internet are known to have been successfully broken in the past, with the CAPTCHA recognition process available on request in a customer-tailed fashion given the specific CAPTCHA. The following is a brief retrospective of some of the do-it-yourself CAPTCHA breaking services, incidents and tools that I've been tracking for a while :

All of these developments clearly indicate the demand and supply for CAPTCHA breaking services, as well as the potential for abusing the clean domain reputation of the most popular email providers whose continuous emphasis on usability, namely coming up with more user friendly CAPTCHAs, often results in the easy of which the process can be automated. No CAPTCHA is perfect, and any CAPTCHA is subject to a great deal of attacks, what can on the other hand render someone's ambitions for automatic recognition is figuring out how to break out of the current CAPTCHA model. And if CAPTCHA recognition is to be undermined on a large scale, such novel and adaptive approaches should be considered like the following replacements for text based CAPTCHAs :

Watch out for another upcoming research courtesy of the same researchers, this time demonstrating Low-cost automated attacks on Yahoo CAPTCHAs, and don't forget that just like humans committing click fraud next to botnets, human CAPTCHA breakers can recognize every CAPTCHA, however, it's important they they remain unable to automate the process, which pretty much represents the current situation.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion