Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google ReCAPTCHA Cracked In New Automated Attack

Posted by msmash on from the breaking-the-code dept.

An anonymous reader writes: A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook. On Google's reCAPTCHA system, researchers recorded a 70.78 percent success rate over 2,235 CAPTCHAs. Average CAPTCHA solving time was 19.2 seconds. They achieved a better success rate on Facebook's system, where they had a success rate of 83.5 percent on over 200 CAPTCHAs, but this was mainly because of higher quality images, and photos were selected from different topics, and were also easier to recognize and classify. For attackers, the whole automated system would cost only $110 a day, per IP address, and would allow them to crack around 63,000 CAPTCHAs in 24 hours from one IP address without being detected and getting banned.

2 of 66 comments (clear)

  1. Captcha cracking using AI is a losing battle by 140Mandak262Jamuna · · Score: 4, Interesting

    Captcha generation can be scaled up quite cheaply and the cracking it automatically does not scale well. But why bother to create a complex system to mimic a human brain, when human brain itself is available for hire for a pittance? You could hire someone in India to manually solve some 30 to 60 captcha an hour for about 100 Rs per hour, or less than $1.50. This method of cracking captcha is unbeatable because, you can not make Captcha more difficult without hampering legitimate users.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  2. Cost analysis from article differs from summary by Hwaguy · · Score: 3, Interesting

    I'm not sure where the the article summary got its notion about the costs. The article doesn't address that- instead it spoke to how much could be made selling the service. From the article:

    Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 - $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine.

    I think the authors of the article were trying to communicate how much money they could make selling this 'service' to other unsavory agents. It could be a lucrative business given the assumed market rates of $2 per 1k, and the mentioned optimizations could make it even more attractive. It makes me wonder if you could set up the whole thing in a cloud computing environment like AWS and come out ahead.