Slashdot Mirror
Google ReCAPTCHA Cracked In New Automated Attack
An anonymous reader writes: A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook. On Google's reCAPTCHA system, researchers recorded a 70.78 percent success rate over 2,235 CAPTCHAs. Average CAPTCHA solving time was 19.2 seconds. They achieved a better success rate on Facebook's system, where they had a success rate of 83.5 percent on over 200 CAPTCHAs, but this was mainly because of higher quality images, and photos were selected from different topics, and were also easier to recognize and classify. For attackers, the whole automated system would cost only $110 a day, per IP address, and would allow them to crack around 63,000 CAPTCHAs in 24 hours from one IP address without being detected and getting banned.
would anonymous turk not be cheaper?
now how are we going to stop terminator infiltrators at the door when skynet rises
Captcha generation can be scaled up quite cheaply and the cracking it automatically does not scale well. But why bother to create a complex system to mimic a human brain, when human brain itself is available for hire for a pittance? You could hire someone in India to manually solve some 30 to 60 captcha an hour for about 100 Rs per hour, or less than $1.50. This method of cracking captcha is unbeatable because, you can not make Captcha more difficult without hampering legitimate users.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Wouldn't it be neat if Google's very own system was being used to crack their CAPTCHA system?
So I'm a little rusty on doing shady things on the intertubes which could get me banned ...
And I would be doing this ... why?
So I can spam Google and Facebook? Really, it's that lucrative that you'd spend $110/day/IP?
I've never even seen a Captcha for Google, and I really have no idea of when you'd see them, or why you'd pay to break them.
Is the interweb so utterly broken that people are paying to get past to spam discussion boards? Oh, hell, what am I saying, of course it is.
Lost at C:>. Found at C.
I'm not sure where the the article summary got its notion about the costs. The article doesn't address that- instead it spoke to how much could be made selling the service. From the article:
Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 - $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine.
I think the authors of the article were trying to communicate how much money they could make selling this 'service' to other unsavory agents. It could be a lucrative business given the assumed market rates of $2 per 1k, and the mentioned optimizations could make it even more attractive. It makes me wonder if you could set up the whole thing in a cloud computing environment like AWS and come out ahead.
trying to enter them as a real human being. Seriously, the captcha system is broken because as long as there is a monetary value to breaking it someone will, even if it is simply paying a few cents per capture to break them to a human in some low wage country. The only authentication system I have seen that didn't rely on a separate hardware device for authentication that was worth a damn were those that, rather than requiring a selection or inputing what you see on screen, asked a question that only someone family with the topic would know. For example, I've seen engineering bulletin boards ask for the name of a specific type of beam, automotive ones that ask something unique to the marque, etc. so automating a process to gain entry is not practical. Of course, one you know the answer you can easily create multiple accounts, but these boards also limited posting ability for a set period of time and or required a secondary confirmation before gaining full access to limit the drive by spamming of EXCELLENT QUALITY!!! YOU BUY CHEAP!!! DESIGNER!!! posts.
I'm a consultant - I convert gibberish into cash-flow.
reCaptcha has a newer system where no image is shown but instead the user clicks a checkbox. It performs some math to slow down attackers since it requires client compute time.
reCaptcha was defeated years ago using simple open source OCR libraries.
The newer style (client-side compute time cost) achieves the only realistic goal which is to slow down spammers since captcha cannot stop them.
Just make the recaptcha a minimum length of twelve characters, use sans serif only and make it consist solely of capital i's and lower case l's.
and would allow them to crack around 63,000 CAPTCHAs in 24 hours from one IP address without being detected and getting banned.
That's an interesting assumption. It would be ridiculously easy to detect.
Route the incoming requests evenly across your pool of servers depending on the range it's IP address belongs to.
Each server keeps a count of requests for each incoming IP Address. 1 byte per unique IP address let's say. You could store the entire range of IPv4 in 4GB of storage. If you've got a 1024 servers in your pool that's only 4MB.
Reset the count every so often and start keeping count for however long required. If an IP hits a preset limit, add a rule to the firewall.
That just happened. (drops mic...walks off stage)
Pretty soon, the test will have to be inverted to detect that you are human only if you get the captcha WRONG.
I already have trouble deciphering some captchas, having need for a second (or even third) try in some occasions, which is REALLY annoying. If they make them any harder, I think only bots will be able to solve them and not humans...
Wait, is that the next generation of captcha? You are human if you fail?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Seriously, I hate the CAPTCHA. I have a very hard tiem reading them. Some site, it takes me 4 or 5 tries to get it right. You hit the "voice" and half the time I cannot understand it. There are many types of dyslexia - they all seem to be gathered under one umbrella diagnosis - but sometiems, for some of us, who mispronounce - mishear the exact same words we mistype and spell
CAPTCHA for people like me who are dyslexic is exactly the same thing as putting child proof/resistant tops on bottles of pain killers for people suffering arthritis. There are days I am so fustraited with the CAPTCHA , I can only imagine in my head that the people who came up with this crap are either brain dead stupid or very sadistic.
Oh yeah, for the Slashdot CAPTHCA, I i had to play the sound as well as look at the word to get it. It's not as bad as some others, but still a PITA.
Once a cryptocurrency can actually handle microtransactions (maybe bitcoin this summer?) then we won't need CAPTCHAs at all - just charge $0.01 per submission or something. Instead of making spammers burn the cost, have them send it to the would-be victim.
Heh... I'm partially colorblind and it appears to be getting worse with age. I can usually still recognize patterns but I have issues with certain colors and various shades. I have, on the other hand, learned to not argue with people when they tell me something is a different color than what I said it was. At first, I thought people were just fucking with me. It wasn't too bad when I was younger but it's not that great now. Blue, gray? Yellow, orange? Red, orange? Fucked if I can be certain. I seriously thought people were just fucking with me at first. But no, no... I'm partially colorblind.
"So long and thanks for all the fish."
your post shows you are doing well. congratulations! keep on trucking, man!
Those numbers are better than I am at this.