On BNET: 3 secret signals of procrastination
BNET Business Network:
BNET
TechRepublic
ZDNet

May 31st, 2008

Microsoft’s CAPTCHA successfully broken

Posted by Dancho Danchev @ 11:59 am

Categories: Microsoft, Responsible disclosure, Spam and Phishing

Tags: CAPTCHA, MSN, Hotmail, Windows Live, Yahoo, Gmail, Dancho Danchev

Jeff Yan and Ahmad Salah El Ahmad, at the School of Computing Science, Newcastle University, England recentlyMicrosoft’s CAPTCHA published a research paper entitled “A Low-cost Attack on a Microsoft CAPTCHA“, demonstrating how they’ve managed to attack the Microsoft’s CAPTCHA used on several of their online services such as Hotmail and Windows Live, with over 92% recognition rate. Here’s a summary of the research :

In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that “automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

Realizing the potential for massive abuse from spammers, the researchers notified Microsoft in Sept, 2007 then awaited the response publishing the paper last month. Even though they’ve scientifically justified their success, the CAPTCHAs used on some of the most popular Internet are known to have been successfully broken in the past, with the CAPTCHA recognition process available on request in a customer-tailed fashion given the specific CAPTCHA. The following is a brief retrospective of some of the do-it-yourself CAPTCHA breaking services, incidents and tools that I’ve been tracking for a while :

All of these developments clearly indicate the demand and supply for CAPTCHA breaking services, as well as the potential for abusing the clean domain reputation of the most popular email providers whose continuous emphasis on usability, namely coming up with more user friendly CAPTCHAs, often results in the easy of which the process can be automated. No CAPTCHA is perfect, and any CAPTCHA is subject to a great deal of attacks, what can on the other hand render someone’s ambitions for automatic recognition is figuring out how to break out of the current CAPTCHA model. And if CAPTCHA recognition is to be undermined on a large scale, such novel and adaptive approaches should be considered like the following replacements for text based CAPTCHAs :

Watch out for another upcoming research courtesy of the same researchers, this time demonstrating Low-cost automated attacks on Yahoo CAPTCHAs, and don’t forget that just like humans committing click fraud next to botnets, human CAPTCHA breakers can recognize every CAPTCHA, however, it’s important they they remain unable to automate the process, which pretty much represents the current situation.

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis.

People who read this, also read...

  • Talkback
  • Most Recent of 24 Talkback(s)
RE: Microsoft's CAPTCHA successfully broken
CAPTCHA is annoying anyway. It's not a good thing anyway. What in the world are dyslexic people supposed to do? I'm sure it's hell on them... (Read the rest)
Posted by: thrasher6900@... Posted on: 06/05/08 You are currently: Logged In | Log out
What of ReCaptcha? CobraA1   | 06/01/08
The CAPTCHA-cracking software can read the CAPTCHAs better than I can! drprod@...   | 06/02/08
Remember when Biometrics were the answer? terry flores   | 06/02/08
its not just raw speed... magallanes   | 06/02/08
cool rog.ersa@...   | 06/02/08
tell me about it... I remember my first (tube) radio jlafitte   | 06/03/08
Where there's a worth there's a way schmandel@...   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken pmasterm@...   | 06/02/08
human CAPTCHA breakers can recognize every CAPTCHA? cgarrett@...   | 06/02/08
I hate CAPTCHA Byrdie   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken rog.ersa@...   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken rog.ersa@...   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken mpnc   | 06/02/08
Very Interesting.... vilppuu@...   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken Aerows   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken adelpc@...   | 06/02/08
RE: Microsoft's CAPTCHA successfully broken adelpc@...   | 06/02/08
Ouch!!! chaz15   | 06/02/08
Get real it's all a crock of craptcha Freedom of Speech   | 06/02/08
You Should Check out Asirra fatrat   | 06/03/08
RE: Microsoft's CAPTCHA successfully broken FateJHedgehog@...   | 06/03/08
RE: Microsoft's CAPTCHA successfully broken jlafitte   | 06/03/08
RE: Microsoft's CAPTCHA successfully broken twaynesdomain   | 06/04/08
RE: Microsoft's CAPTCHA successfully broken *NEW* thrasher6900@...   | 06/05/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1232

advertisement

Recent Entries

Recommended

People who like this also like...

advertisement

Archives

ZDNet Blogs