A couple of students at the School of Computing Science, in Newcastle, England, have gotten a success rate of 92% on attacking the CAPTCHA validations for such sites as Hotmail and Windows Live.

In a recently published paper they describe how it was done, and explain how text based CAPTCHA will not be hard to break on any sites using their methods.

from ZDNet

In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that “automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

The article continues by listing the number of CAPTCHA breaks over the past couple of years around the world, and shows once again, that in the war of cops versus hackers, the hackers aren’t always a step ahead, but they are never far behind the latest technoology to foil their efforts.

Oh, and the students definitely need more homework to occupy their time!

-

Technorati Tags: CAPTCHA - research paper - computer science students - Newcastle England - ZDNet

[tags] CAPTCHA, research paper, computer science students, Newcastle England, ZDNet [/tags]