TY - GEN
T1 - A low-cost attack on a microsoft CAPTCHA
AU - Yan, Jeff
AU - Ahmad, Ahmad Salah El
PY - 2008/10/27
Y1 - 2008/10/27
N2 - CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-baaed schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation- resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average -.80 ins for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentationresistant are vulnerable to novel but simple attacks.
AB - CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-baaed schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation- resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average -.80 ins for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentationresistant are vulnerable to novel but simple attacks.
KW - CAPTCHA
KW - internet security
KW - robustness
KW - segmentation attack
KW - usability
UR - http://www.scopus.com/inward/record.url?scp=66249097513&partnerID=8YFLogxK
U2 - 10.1145/1455770.1455839
DO - 10.1145/1455770.1455839
M3 - Conference contribution book
AN - SCOPUS:66249097513
SN - 9781595938107
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 543
EP - 554
BT - Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS'08
CY - New York
T2 - 15th ACM conference on Computer and Communications Security, CCS'08
Y2 - 27 October 2008 through 31 October 2008
ER -