Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google ReCAPTCHA Cracked In New Automated Attack

Posted by msmash on from the breaking-the-code dept.

An anonymous reader writes: A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook. On Google's reCAPTCHA system, researchers recorded a 70.78 percent success rate over 2,235 CAPTCHAs. Average CAPTCHA solving time was 19.2 seconds. They achieved a better success rate on Facebook's system, where they had a success rate of 83.5 percent on over 200 CAPTCHAs, but this was mainly because of higher quality images, and photos were selected from different topics, and were also easier to recognize and classify. For attackers, the whole automated system would cost only $110 a day, per IP address, and would allow them to crack around 63,000 CAPTCHAs in 24 hours from one IP address without being detected and getting banned.

11 of 66 comments (clear)

  1. dammit by Kkloe · · Score: 3, Funny

    now how are we going to stop terminator infiltrators at the door when skynet rises

    1. Re:dammit by Big+Hairy+Ian · · Score: 2

      "You're in a desert, walking along in the sand when all of a sudden you look down and see a tortoise. It's crawling toward you..."

      Holden: Describe in single words only the good things that come into your mind about... your mother.

      Leon: My mother?

      Holden: Yeah.

      Leon: Let me tell you about my mother.

      I fairness to the guy any member of the Palin family would probably have had the same response

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:dammit by Thanshin · · Score: 2

      1. Stand still
      2. Remain calm
      3. Scream

      Paradox? This looks like standard operational meeting procedure.

  2. Captcha cracking using AI is a losing battle by 140Mandak262Jamuna · · Score: 4, Interesting

    Captcha generation can be scaled up quite cheaply and the cracking it automatically does not scale well. But why bother to create a complex system to mimic a human brain, when human brain itself is available for hire for a pittance? You could hire someone in India to manually solve some 30 to 60 captcha an hour for about 100 Rs per hour, or less than $1.50. This method of cracking captcha is unbeatable because, you can not make Captcha more difficult without hampering legitimate users.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Deep Learning/Neural Net by wardrich86 · · Score: 2

    Wouldn't it be neat if Google's very own system was being used to crack their CAPTCHA system?

  4. Re:Hmmm .... by pla · · Score: 2

    I've never even seen a Captcha for Google, and I really have no idea of when you'd see them, or why you'd pay to break them.

    If you do a bunch of searches in quick succession, it will occasionally ask you to solve one. Seems kinda random, though, some days I can search for half an hour as fast as I can type without getting one, while others I get a captcha after my third attempt to refine the results.

  5. Cost analysis from article differs from summary by Hwaguy · · Score: 3, Interesting

    I'm not sure where the the article summary got its notion about the costs. The article doesn't address that- instead it spoke to how much could be made selling the service. From the article:

    Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 - $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine.

    I think the authors of the article were trying to communicate how much money they could make selling this 'service' to other unsavory agents. It could be a lucrative business given the assumed market rates of $2 per 1k, and the mentioned optimizations could make it even more attractive. It makes me wonder if you could set up the whole thing in a cloud computing environment like AWS and come out ahead.

  6. 70% That's better than I can do by Registered+Coward+v2 · · Score: 2

    trying to enter them as a real human being. Seriously, the captcha system is broken because as long as there is a monetary value to breaking it someone will, even if it is simply paying a few cents per capture to break them to a human in some low wage country. The only authentication system I have seen that didn't rely on a separate hardware device for authentication that was worth a damn were those that, rather than requiring a selection or inputing what you see on screen, asked a question that only someone family with the topic would know. For example, I've seen engineering bulletin boards ask for the name of a specific type of beam, automotive ones that ask something unique to the marque, etc. so automating a process to gain entry is not practical. Of course, one you know the answer you can easily create multiple accounts, but these boards also limited posting ability for a set period of time and or required a secondary confirmation before gaining full access to limit the drive by spamming of EXCELLENT QUALITY!!! YOU BUY CHEAP!!! DESIGNER!!! posts.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  7. Re:Hmmm .... by gstoddart · · Score: 2

    If you have to ask, you'll never know...

    Google has a Room of Requirement?

    Oh, man, I never get to have any fun.

    --
    Lost at C:>. Found at C.
  8. Re:Oh crap... by operagost · · Score: 2

    I already tried to do that, but in order to sign up for the bot, the company made me solve a captcha.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  9. Re:Oh crap... by gstoddart · · Score: 2

    It's bots and capchtas all the way down. ;-)

    --
    Lost at C:>. Found at C.