skip to main content
10.1145/1455770.1455839acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

A low-cost attack on a Microsoft captcha

Published: 27 October 2008 Publication History

Abstract

CAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks.
In this paper, we present new character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation-resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average ~80 ms for the attack to completely segment a challenge on an ordinary desktop computer. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. For the first time, this paper shows that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks.

References

[1]
L. von Ahn, M. Blum and J. Langford. "Telling Humans and Computer Apart Automatically", CACM, V47, No2, 2004.
[2]
J. Yan and A. S. El Ahmad. "Is cheap labour behind the scene? -- Low-cost automated attacks on Yahoo CAPTCHAs", School of Computing Science Technical Report, Newcastle University, England, 2008.
[3]
K. Chellapilla and P. Simard, "Using Machine Learning to Break Visual Human Interaction Proofs", Neural Information Processing Systems (NIPS), MIT Press, 2004.
[4]
K. Chellapilla, K. Larson, P. Simard and M. Czerwinski, "Building Segmentation Based Human-friendly Human Interaction Proofs", 2nd Int'l Workshop on Human Interaction Proofs, Springer-Verlag, LNCS 3517, 2005.
[5]
K. Chellapilla, K. Larson, P. Simard and M. Czerwinski, "Designing human friendly human interaction proofs", ACM CHI'05, 2005.
[6]
K. Chellapilla, K. Larson, P. Simard, M. Czerwinski, "Computers beat humans at single character recognition in reading-based Human Interaction Proofs", 2nd Conference on Email and Anti-Spam (CEAS), 2005.
[7]
Sam Hocevar. PWNtcha -- captcha decoder web site, http://sam.zoy.org/pwntcha/, accessed Jan 2008.
[8]
Microsoft Corporation. "Human Interaction Proof (HIP) --- Technical and Market Overview", 2006. Available at http://download.microsoft.com/./Human_Interaction_Proof_Technical_Overview.doc. Accessed Jan 2008.
[9]
G. Mori and J. Malik. "Recognising objects in adversarial clutter: breaking a visual CAPTCHA", IEEE Conference on Computer Vision & Pattern Recognition (CVPR), 2003.
[10]
G. Moy, N. Jones, C. Harkless and R. Potter. "Distortion estimation techniques in solving visual CAPTCHAs", IEEE CVPR, 2004.
[11]
P. Simard, R. Szeliski, J. Benaloh, J. Couvreur and I. Calinov, "Using character recognition and segmentation to tell computers from humans", International Conference on Document Analysis and Recognition (ICDAR), 2003.
[12]
P. Simard, D. Steinkraus, J. Platt. "Best Practice for Convolutional Neural Networks Applied to Visual Document Analysis", International Conference on Document Analysis and Recognition (ICDAR), IEEE Computer Society, Los Alamitos, pp.958--962, 2003.
[13]
C. Pope and K. Kaur. "Is It Human or Computer? Defending E-Commerce with CAPTCHA", IEEE IT Professional, March 2005, pp. 43--49
[14]
J. Yan and A. S. El Ahmad. "Breaking Visual CAPTCHAs with Naïve Pattern Recognition Algorithms", in Proc. of the 23rd Annual Computer Security Applications Conference (ACSAC'07). FL, USA, Dec 2007. IEEE computer society. pp 279--291.
[15]
J. Yan. "Bot, Cyborg and Automated Turing Test", the Fourteenth International Workshop on Security Protocols, Cambridge, UK, Mar 2006. Also available at http://www.cs.ncl.ac.uk/research/pubs/trs/papers/970.pdf.
[16]
https://signup.live.com/hmnewuser.aspx?mkt=en--us&revipc=CN&ts=3970181&sh=WsBO&hm=1&ru=http%3a%2f%2fmail.live.com%2f%3fnewuser%3dyes&rx=http%3a%2f%2fget.live.com%2fmail%2foverview&rollrs=04&lic=1
[17]
Dan Goodin, "Automated Automated crack for Windows Live captcha goes wild", The Register, Feb 8, 2008. http://www.theregister.co.uk/2008/02/08/microsoft_captcha_buster/
[18]
Websense Security Labs, "Streamlined anti-CAPTCHA operations by spammers on Microsoft Windows Live Mail", Feb 6, 2008. http://securitylabs.websense.com/content/Blogs/2907.aspx
[19]
J. Elson, J.R. Douceur, J. Howell and J. Saul. "Asirra: a CAPTCHA that exploits interest-aligned manual image categorization". ACM CCS'07.
[20]
Yahoo! CAPTCHA is broken", available at http://network-security-research.blogspot.com/2008/01/yahoo-captcha-is-broken.html.
[21]
J. Yan and A. S. El Ahmad. "Usability of CAPTCHAs -- Or, Usability issues in CAPTCHA design", the fourth Symposium on Usable Privacy and Security, Pittsburgh, USA, July 2008.
[22]
J. Yan and A. S. El Ahmad. "A Low-cost Attack on a Microsoft CAPTCHA", School of Computing Science Technical Report, Newcastle University, England, 2008.

Cited By

View all
  • (2024)Enhancing Web Security: Implementing CAPTCHA for Government WebsitesInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAR1463(1281-1287)Online publication date: 28-Mar-2024
  • (2024)Improving the Security of Audio CAPTCHAs With Adversarial ExamplesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323636721:2(650-667)Online publication date: Mar-2024
  • (2024)“CAPTCHA: Impact of Users with Learning Disabilities, and Implementation of Dynamic Game based Captcha to Improve the Access for Users with Learning Disabilities.”2024 2nd International Conference on Disruptive Technologies (ICDT)10.1109/ICDT61202.2024.10489000(1624-1630)Online publication date: 15-Mar-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
October 2008
590 pages
ISBN:9781595938107
DOI:10.1145/1455770
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. captcha
  2. internet security
  3. robustness
  4. segmentation attack
  5. usability

Qualifiers

  • Research-article

Conference

CCS08
Sponsor:

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)53
  • Downloads (Last 6 weeks)9
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Enhancing Web Security: Implementing CAPTCHA for Government WebsitesInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAR1463(1281-1287)Online publication date: 28-Mar-2024
  • (2024)Improving the Security of Audio CAPTCHAs With Adversarial ExamplesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.323636721:2(650-667)Online publication date: Mar-2024
  • (2024)“CAPTCHA: Impact of Users with Learning Disabilities, and Implementation of Dynamic Game based Captcha to Improve the Access for Users with Learning Disabilities.”2024 2nd International Conference on Disruptive Technologies (ICDT)10.1109/ICDT61202.2024.10489000(1624-1630)Online publication date: 15-Mar-2024
  • (2024)Image CAPTCHAs: When Deep Learning Breaks the MoldIEEE Access10.1109/ACCESS.2024.344297612(112211-112231)Online publication date: 2024
  • (2024)Facial expression recognition: a novel approach to captcha designJournal of Engineering Design10.1080/09544828.2024.232440035:8(921-943)Online publication date: 11-Mar-2024
  • (2024)The robustness of behavior-verification-based slider CAPTCHAsJournal of Information Security and Applications10.1016/j.jisa.2024.10371181:COnline publication date: 1-Mar-2024
  • (2023)An empirical study & evaluation of modern CAPTCHAsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620410(3081-3097)Online publication date: 9-Aug-2023
  • (2023)The Design and Evaluation of Novel Ananimated CAPTCHA Schemes Based on Humans’ Natural Vision CapabilitiesVFAST Transactions on Software Engineering10.21015/vtse.v11i2.154711:2(196-214)Online publication date: 30-Jun-2023
  • (2023)An Experimental Investigation of Text-based CAPTCHA Attacks and Their RobustnessACM Computing Surveys10.1145/355975455:9(1-38)Online publication date: 16-Jan-2023
  • (2023)CAPTCHA Recognition Using Deep Convolutional Neural Networks (DCNN)2023 Innovations in Power and Advanced Computing Technologies (i-PACT)10.1109/i-PACT58649.2023.10434845(1-8)Online publication date: 8-Dec-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media