Researchers crack Microsoft, eBay, Yahoo, Digg audio captchas

Researchers have figured out how to to crack captchas, making it possible to launch automated attacks against sites such as Microsoft, eBay and Digg where opening phony accounts could be turned into cash.

Software written by researchers at Stanford University and Tulane University can interpret human speech well enough to crack audio captchas between 1.5 per cent and 89 per cent of the time - often enough to make sites that use them vulnerable to setting up false user accounts, the researchers say.

THE PAYOFF: Wiseguy scalpers bought tickets with CAPTCHA-busting botnet 

Called Decaptcha, the program was able to decode Microsoft's audio captchas about half the time. It cracked the toughest audio captcha from reCAPTCHA just 1.5 per cent of the time and Authorize.com's audio captchas 89 per cent of the time.

It solved eBay audio captchas 82 per cent of the time, Microsoft 48.9 per cent of the time, Yahoo 45.5 per cent of the time and 42 per cent of the time for Digg, say the researchers, headed up by Elie Bursztein, a post-doctoral researcher at Stanford.

"[A] computer algorithm that solves one captcha out of every 100 attempts would allow an attacker to set up enough fraudulent accounts to manipulate user behavior or achieve other ends on a target site," the researchers say.

Visual captchas (completely automated public Turing tests to tell computers and humans apart) display distorted numbers and letters that a person has to identify and key in. Audio captchas present a voice reading numbers and letters that are partially obscured by noise, music or competing voices, and the person solving them has to key in the characters being read.

The Decaptcha program samples the audio and identifies what are likely to be numbers and letters based on numbers and letters that have previously been read to it. It then tries to match the suspected character with one of the characters in its library, choosing the one that makes the best match.

According to the researchers training the program requires it to "listening to" captchas that have been accurately identified. "Decaptcha requires 300 labeled captchas and approximately 20 minutes of training time to defeat the hardest schemes," the researchers say in a paper describing their results. After that, the trained program can solve tens of captchas per minute.

In order to make it difficult for computer programs to identify the characters, various types of distractions are played over them, such as random white noise, loud noises between characters, other voices. Some audio captchas use purposely low-quality recordings.

White noise is relatively easy to filter out, but competing voices and sounds that present sound patterns similar to letters and numbers are the most difficult for Decaptcha to discern, the researchers say. These are called symantic distractions and require human intelligence to sort them out with a high degree of accuracy.

Working in favor of Decaptcha is that the creators of audio captchas have to make them simple enough for humans to figure out the letters and numbers the vast majority of the time. The balance between simple enough for humans to distinguish and difficult enough for computers to miss is tricky, the researchers say.

The researchers recommend tightening up security of audio captchas through use of more symantic noise.

The researchers say they are working on ways to break audio captchas that use entire words rather than just characters to see whether they are more safe.

They also want to analyze the differences in the ways humans make mistakes decoding captchas and the ways computers make mistakes. That way captchas can be designed to make it more difficult and costly to device programs that defeat them, they say.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftNetworkingsecurityebaycaptchaaccess controlStanford UniversitydiggmanagementYahoo

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?