Stanford Students Capture CAPTCHA Code

by Matt Klassen on November 2, 2011

As alliterations go it’s certainly a mouthful and honestly not altogether accurate, but nevertheless researchers from Stanford University have some bad news for all the companies who depend on CAPTCHA, those often indecipherable, always irritating distorted letters and words that we have to type in at numerous websites as proof of our humanity, as a layer of their online security…they don’t work very well.

In fact, the Stanford researchers found that for sites like Blizzard (is there anyone out there who doesn’t receive spam WoW emails?), Visa’s Authorize.net, Wikipedia and eBay among many, the Captcha security feature really didn’t work at all, a point that invariably has many of us asking, “Is the Internet really secure?”

But of course they’re only asking that question because they have skipped over the far more fundamental precursor query, what the heck do those annoying Captchas even do?

For those who have never known why we’re all required to enter nonsense phrases and letters into that security box before we can purchase products or access secure sites like credit cards or banks, the purpose of a Captcha—which stands for Completely Automated Public Turing test to tell Computers and Humans Apart—is to foil the evil botnets, those malicious programs that operators use to automatically create email accounts to send spam, or use to send those annoying comments to your blog, or use to repeatedly access e-commerce sites, giving the operator an unfair purchasing advantage—especially for things like tickets—over the regular single consumer.

The problem with utilizing Captchas as part of an overall security front is that companies, even huge companies like Visa and eBay, often create their own, thinking that any sort of semi-indecipherable scribble will do the trick, but not so says Stanford Researchers.

Using a decoding technique called Decaptcha, which automatically removes ‘noise’ from an image and detects shapes like letters, the researchers were able to clean up Captcha images and have programs automatically insert the correct phrase, thus mimicking a real person and defeating the security feature altogether.

As CNET writer Declan McCullagh explains, “Decaptcha was able to decode 66 percent of the Captchas used by Visa’s Authorize.net payment site, 70 percent of Blizzard Entertainment’s Captchas — the company’s games include World of Warcraft and Diablo — and 25 percent of Wikipedia’s. About one-fifth of Digg.com’s Captchas and almost that many of CNN.com’s were decodable. Any decoding rate over 1 percent, the Stanford team says, means that particular Captcha is too broken to continue to use.” In turns out the only company able to rebuff every attempt from the Stanford researchers was Google.

While these companies utilize Captchas only as part of their overall security plan, Stanford Researchers are hoping that their findings will motivate them to increase their Captcha security, shore up the weaknesses of the feature, and improve the overall level of online security. Of course, what this means for you is that if companies don’t shore up the weaknesses in Captcha, hackers will figure out how to break the Captcha code and we will all likely see an increase in spam.

But just in case you’re now thinking that the Stanford findings will be like one of those news stories of homemade bombs, the sort that irresponsibly gives you all the details needed to make your own homemade bombs, the researchers from Stanford have given assurances that their DeCaptcha software will not be made available to the public…ever. We’ll see how long that lasts.

Did you like this post ? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

{ 1 comment… read it below or add one }

Emma Geraln November 2, 2011 at 5:59 am

It would appear that in some cases the computers are better at reading the bloody things than me! Great 🙂

Previous post:

Next post: