News

Researchers: Microsoft's CAPTCHAs Easy to Solve

By Jeremy Kirk, IDG News Service (London Bureau)

April 15, 2008

Microsoft's system to thwart automatic registrations of e-mail accounts leads to "a false sense of security," according to two researchers who have developed a low-cost way to break the security mechanism.

Jeff Yan and Ahmad Salah El Ahmad of the School of Computing Science at Newcastle University in the U.K. wrote in a research paper that their method can solve around 60 percent of Microsoft's CAPTCHAs used for validating registrations for its Windows Live Mail service.

A CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart) is the distorted text that a person must decipher in order to be allowed to register for an e-mail account or perform other actions, such as post a comment, on a Web site. It's designed to prevent hackers from using automated tools for abusive purposes.

Microsoft could make its CAPTCHAs harder to solve for computers by, for instance, letting letters overlap, but that also makes it harder for people, said Yan, who lectures at the University of Newcastle.

As of the last few months, CAPTCHAs have been become increasingly ineffective. The CAPTCHA systems used by free e-mail providers such as Microsoft, Google and Yahoo have been solved on a mass scale, leading to an increase in spam originating from their domains.

Details are scarce on how hackers are solving the CAPTCHAs in great numbers. It has been suspected that low-wage CAPTCHA solvers are being employed in order to get a steady stream of new e-mail accounts.

Yan and El Ahmad started their work in mid-2007. Microsoft was notified of the problems outlined in their paper in September 2007. The researchers released the paper a few days ago with Microsoft's blessing.

Overall, Microsoft's CAPTCHA system is well designed, and the company even holds three patents related to it, they wrote. But designing a fool-proof CAPTCHA system isn't easy.

"To the best of our knowledge, this for the first time shows that a CAPTCHA that was carefully designed by serious professionals...is nevertheless vulnerable to novel but simple attacks," Yah and El Ahmad wrote.

In February, it was discovered that hackers were using a method that appeared to have a 30 percent to 35 percent success rate in solving the CAPTCHA used for Windows Live Hotmail.

Using their own analysis and algorithms, Yan and El Ahmad have almost doubled the success rate of the February attacks.

One of the hardest parts of breaking CAPTCHAs is separating the letters and putting the letters in the right order, a process known as segmentation. The twisting, wispy letters are confusing to machines, and humans are much better at sorting out extraneous lines.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

How Are Open Source Development Communities Embracing Security Best Practices?

The Case for Business Software Assurance ~ Securing Your Applications

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development

Managing SSL Security in Multi-Server Environments

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Efficient - Flexible - Compliant

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era