A pair of researchers at Stanford University have created a computer program capable of cracking CAPTCHA codes, the widespread security system used by websites to determine whether a user is actually human.
CAPTCHA actually stands for Completely Automated Public Turing Test to tell Computers and Humans Apart. Some would actually call CAPTCH a “reverse Turing test,” as it is a computer program meant to identify humans, as opposed to a traditional Turing test, which works the other way around.
Led by researchers Elie Bursztein and John C. Mitchell, the project tested 15 different types of CAPTCHA styles using their custom software dubbed DECAPTCHA. The CAPTCHA codes they tested came from a variety of popular websites, including Wikipedia, eBay, Visa’s Authorize.net, Reddit, Digg, CNN, and Slashdot, among others.
DECAPTCHA works by removing background images and noise, making it easier for the program to decipher the text characters indicated in a particular CAPTCHA code.
The DECAPTCHA script had varying success, depending on the style of CAPTCHA code used by a particular site. For example, DECAPTCHA was only able to crack Wikipedia’s CAPTCHA scheme 25 percent of the time, as were similar schemes from 12 other sites. EBay’s CAPTCHA scheme was cracked 43 percent of the time, the researchers found. And Authorize. net succumbed to DECAPTCHA a troubling 66 percent of the time.
The team found that CAPTCHA codes that use disorienting background images for greater security were not at all effective, and they suggest “using background only for cosmetic purposes.” The team found that using large lines, and a technique known as “collapsing,” a particular way of distorting the characters, “are the only two secure options currently.”
Only Google and reCAPTCHA codes were invulnerable to DECAPTCHA’s attacks. As PhysOrg reports, both Visa’s Authorize.net and Digg have switched to reCAPTCHA since the study was conducted.
View the full study here (pdf).