Researchers Finds Easy Way to Defeat CAPTCHA Security
One reason the cybersecurity field is so hot is the arms race between hackers and security pros. Almost as soon as a new security patch or app is released, hackers come up with a way to get around it.
Now, though, it isn't hackers, but a team of academics who have ratcheted up the security risk to many of the world's most trafficked sites with their quick and easy way to defeat a widely used security system. Their technique, based on machine learning methods, can defeat the ubiquitous CAPTCHA challenge-response test in under a second using just a desktop computer. It was tested on 33 CAPTCHA schemes, including 11 used by many of the world’s most popular websites.
Almost anyone who has signed up for a service, bought something online or registered for access to a site has encountered a CAPTCHA. The most common of the different CAPTCHA methods is a text display of jumbled, distorted letters and numbers that users must decipher before they can proceed further. Their purpose is to prevent automated systems from gaining access. Most humans can figure out the characters in under 10 seconds. To date, the few CAPTCHA-defeating programs take millions of examples to be trained to decipher each specific scheme.
The new CAPTCHA solver, developed by computer scientists at Northwest University in the US, Peking University in China and Lancaster University in the UK, delivers significantly higher accuracy than previous systems, and is able to successfully crack versions that have defeated previous attack systems. It is also far quicker to learn new CAPTCHA variations.
Dr. Zheng Wang, senior lecturer at Lancaster University’s School of Computing and Communications and co-author of the research, said, "Our work shows that the security features employed by the current text-based CAPTCHA schemes are particularly vulnerable under deep learning methods.
"We show for the first time that an adversary can quickly launch an attack on a new text-based CAPTCHA scheme with very low effort. This is scary because it means that this first security defense of many websites is no longer reliable."