[IP] Researchers: Microsoft's CAPTCHAs Easy to Solve

[David Farber <dave@farber.net>]

________________________________________
From: Brian Randell [Brian.Randell@ncl.ac.uk]
Sent: Wednesday, April 16, 2008 5:44 AM
To: David Farber
Subject: Researchers: Microsoft's CAPTCHAs Easy to Solve

Hi Dave:

Work by a colleague of mine that you might find of interest:

>Microsoft's system to thwart automatic registrations of e-mail
>accounts leads to "a false sense of security," according to two
>researchers who have developed a low-cost way to break the security
>mechanism.
>
>Jeff Yan and Ahmad Salah El Ahmad of the School of Computing Science
>at Newcastle University in the U.K. wrote in a research paper that
>their method can solve around 60 percent of Microsoft's CAPTCHAs
>used for validating registrations for its Windows Live Mail service.
>
>A CAPTCHA (Completely Automated Public Turing test to Tell Computers
>and Humans Apart) is the distorted text that a person must decipher
>in order to be allowed to register for an e-mail account or perform
>other actions, such as post a comment, on a Web site. It's designed
>to prevent hackers from using automated tools for abusive purposes.
>
>Microsoft could make its CAPTCHAs harder to solve for computers by,
>for instance, letting letters overlap, but that also makes it harder
>for people, said Yan, who lectures at the University of Newcastle.
>
>As of the last few months, CAPTCHAs have been become increasingly
>ineffective. The CAPTCHA systems used by free e-mail providers such
>as Microsoft, Google and Yahoo have been solved on a mass scale,
>leading to an increase in spam originating from their domains.
>
>Details are scarce on how hackers are solving the CAPTCHAs in great
>numbers. It has been suspected that low-wage CAPTCHA solvers are
>being employed in order to get a steady stream of new e-mail
>accounts.
>
>Yan and El Ahmad started their work in mid-2007. Microsoft was
>notified of the problems outlined in their paper in September 2007.
>The researchers released the paper a few days ago with Microsoft's
>blessing.
>
>Overall, Microsoft's CAPTCHA system is well designed, and the
>company even holds three patents related to it, they wrote. But
>designing a fool-proof CAPTCHA system isn't easy.
>
>"To the best of our knowledge, this for the first time shows that a
>CAPTCHA that was carefully designed by serious professionals...is
>nevertheless vulnerable to novel but simple attacks," Yah and El
>Ahmad wrote.
>
>In February, it was discovered that hackers were using a method that
>appeared to have a 30 percent to 35 percent success rate in solving
>the CAPTCHA used for Windows Live Hotmail.
>
>Using their own analysis and algorithms, Yan and El Ahmad have
>almost doubled the success rate of the February attacks.
>
>One of the hardest parts of breaking CAPTCHAs is separating the
>letters and putting the letters in the right order, a process known
>as segmentation. The twisting, wispy letters are confusing to
>machines, and humans are much better at sorting out extraneous lines.
>
>Yan and El Ahmad's analysis was performed with off-the-shelf
>hardware: a 1.86 GHz Intel Core 2 Duo CPU (central processing unit)
>with 2G bytes of RAM. Their seven-step method is capable of removing
>"arcs" or strokes that link letters and make letters hard to isolate.
>
>Ninety-two percent of the time, they could isolate each of the eight
>characters used for Microsoft's CAPTCHA. Combined with character
>recognition techniques, the CAPTCHAs could be solved 61 percent of
>the time.
>
>Their method also works against the latest CAPTCHAs deployed by
>Yahoo last month, although the success rates are not as high. Yan
>said he will soon release another research paper looking at Yahoo's
>CAPTCHAs.
>
>Of the big three-- Yahoo, Microsoft and Google-- Google seems to
>have the most effective CAPTCHAs right now due to the difficulty
>automated programs have in separating the characters, Yan said.
>
>"Actually I think at a high level, the idea of a CAPTCHA is a good
>one, but the devil is in the details," Yan said.

http://news.yahoo.com/s/pcworld/20080415/tc_pcworld/144585


Cheers

Brian

--
School of Computing Science, Newcastle University, Newcastle upon Tyne,
NE1 7RU, UK
EMAIL = Brian.Randell@ncl.ac.uk   PHONE = +44 191 222 7923
FAX = +44 191 222 8232  URL = http://www.cs.ncl.ac.uk/people/brian.randell

-------------------------------------------