A Low-cost Attack on a Microsoft CAPTCHA
Monty Solomon
A Low-cost Attack on a Microsoft CAPTCHA
Jeff Yan, Ahmad Salah El Ahmad
School of Computing Science, Newcastle University, UK
{Jeff.Yan, Ahmad.Salah-El-Ahmad}@ncl.ac.uk
Abstract: CAPTCHA is now almost a standard security technology. The
most widely used CAPTCHAs rely on the sophisticated distortion of
text images rendering them unrecognisable to the state of the art of
pattern recognition techniques, and these text-based schemes have
found widespread applications in commercial websites. The state of
the art of CAPTCHA design suggests that such text-based schemes
should rely on segmentation resistance to provide security guarantee,
as individual character recognition after segmentation can be solved
with a high success rate by standard methods such as neural networks.
In this paper, we analyse the security of a text-based CAPTCHA
designed by Microsoft and deployed for years at many of their online
services including Hotmail, MSN and Windows Live. This scheme was
designed to be segmentation-resistant, and it has been well studied
and tuned by its designers over the years. However, our simple attack
has achieved a segmentation success rate of higher than 90% against
this scheme. It took on average ~80 ms for the attack to completely
segment a challenge on a desktop computer with a 1.86 GHz Intel Core
2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft
scheme can be broken with an overall (segmentation and then
recognition) success rate of more than 60%. On the contrary, its
design goal was that "automatic scripts should not be more successful
than 1 in 10,000" attempts (i.e. a success rate of 0.01%). For the
first time, we show that a CAPTCHA that is carefully designed to be
segmentation-resistant is vulnerable to novel but simple attacks. Our
results show that it is not a trivial task to design a CAPTCHA scheme
that is both usable and robust.
...