Microsoft's system to thwart automatic registrations of e-mail accounts leads to "a false sense of security," according to two researchers who have developed a low-cost way to break the security mechanism.
Jeff Yan and Ahmad Salah El Ahmad of the School of Computing Science at Newcastle University in the U.K. wrote in a research paper that their method can solve around 60 percent of Microsoft's CAPTCHAs used for validating registrations for its Windows Live Mail service.
A CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart) is the distorted text that a person must decipher in order to be allowed to register for an e-mail account or perform other actions, such as post a comment, on a Web site. It's designed to prevent hackers from using automated tools for abusive purposes.
Microsoft could make its CAPTCHAs harder to solve for computers by, for instance, letting letters overlap, but that also makes it harder for people, said Yan, who lectures at the University of Newcastle.
As of the last few months, CAPTCHAs have been become increasingly ineffective. The CAPTCHA systems used by free e-mail providers such as Microsoft, Google, and Yahoo have been solved on a mass scale, leading to an increase in spam originating from their domains.
Details are scarce on how hackers are solving the CAPTCHAs in great numbers. It has been suspected that low-wage CAPTCHA solvers are being employed in order to get a steady stream of new e-mail accounts.
Yan and El Ahmad started their work in mid-2007. Microsoft was notified of the problems outlined in their paper in September 2007. The researchers released the paper a few days ago with Microsoft's blessing.
Overall, Microsoft's CAPTCHA system is well designed, and the company even holds three patents related to it, they wrote. But designing a foolproof CAPTCHA system isn't easy.
"To the best of our knowledge, this for the first time shows that a CAPTCHA that was carefully designed by serious professionals...is nevertheless vulnerable to novel but simple attacks," Yah and El Ahmad wrote.
In February, it was discovered that hackers were using a method that appeared to have a 30 percent to 35 percent success rate in solving the CAPTCHA used for Windows Live Hotmail.
Using their own analysis and algorithms, Yan and El Ahmad have almost doubled the success rate of the February attacks.
One of the hardest parts of breaking CAPTCHAs is separating the letters and putting the letters in the right order, a process known as segmentation. The twisting, wispy letters are confusing to machines, and humans are much better at sorting out extraneous lines.
Yan and El Ahmad's analysis was performed with off-the-shelf hardware: a 1.86GHz Intel Core 2 Duo CPU with 2GB of RAM. Their seven-step method is capable of removing "arcs" or strokes that link letters and make letters hard to isolate.
Ninety-two percent of the time, they could isolate each of the eight characters used for Microsoft's CAPTCHA. Combined with character recognition techniques, the CAPTCHAs could be solved 61 percent of the time.
Their method also works against the latest CAPTCHAs deployed by Yahoo last month, although the success rates are not as high. Yan said he will soon release another research paper looking at Yahoo's CAPTCHAs.
Of the big three -- Yahoo, Microsoft, and Google -- Google seems to have the most effective CAPTCHAs right now due to the difficulty automated programs have in separating the characters, Yan said.
"Actually I think at a high level, the idea of a CAPTCHA is a good one, but the devil is in the details," Yan said.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
1 Recommendation
