Whilst checking my morning emails, blogs and subscriptions I came across this story which could have implications for security on the web. Captcha, the security feature which asks the user to input a randomly generated word to access specific areas such as email, control panels etc, has been cracked by a piece of software developed by experts.
“Researchers have sparked fresh concerns about Internet security after cracking Captcha, the word test used to check if website users are human. In tests IT experts said they have developed software that beats audio Captchas up to 89 per cent of the time.
They warned that cyber criminals could use such a programme to get past security measures introduced by websites like Yahoo and eBay and scam the public.
The programme, called Decaptcha, beat Captcha on eBay 82 per cent of the time, Microsoft 48.9 per cent of the time, Yahoo 45.5 per cent of the time and 42 per cent of the time on Digg.
It could also cause problems for websites like Ticketmaster as touts could use automated programmes to pose as real users and get the best seats – only to sell them on at vastly inflated prices.
The researchers warned that websites using Captcha had to upgrade their security or face becoming a victim of cyber crime. The term Captcha – which stands for for Completely Automated Public Turing Test To Tell Computers and Humans Apart – was coined by Luis von Ahn and two other professors from Carnegie Mellon University in 2000.
Originally used by Yahoo email, they were designed to stop spammers from using automated programmes to send out unwanted messages to scam other people.
Captchas usually come in the form of one or two distorted words which the user must type in to prove that they are human. Users can also request that the Captcha be read out loud over the computer’s speakers, and it is here the researchers have found a vulnerability.
With just 20 minutes of ‘listening’ time to some 200 Captchas, the Decaptcha programme was able to defeat even the toughest schemes, their study found. It does this by sampling the audio and marking out what it thinks are numbers and letters based on what it has previously heard. The programme then matches the suspected character with one of the characters in its library, choosing the one that makes the best match.
‘A computer algorithm that solves one Captcha out of every 100 attempts would allow an attacker to set up enough fraudulent accounts to manipulate user behaviour or achieve other ends on a target site,’ the researchers from Stanford University and Tulane University said.
The dangers of cracked Captchas was illustrated recently by the case of three California men who used automated programmes to beat security measures and buy 1.5million tickets to Bruce Springsteen concerts and Broadway shows. The trio later sold them on to fans at a far higher price.”
How widely this will be used and how quickly the company’s respond in upgrading their security is yet to be seen, but I would advise that you take steps to protect yourself online, its good practice regardless of the security in place.