Spammer’s Delight: Researchers Defeat Audio CAPTCHAs
When logging into a website or establishing a new account, many users are prompted to decipher a visually distorted string of letters and numbers to keep spammers from gaining access. This list of characters is a CAPTCHA, a puzzle that is glaringly easy for most humans but that stops computers from automatically deciphering the text. CAPTCHAs also come in audio form for the visually impaired, but these audio puzzles are an easy target for would-be spammers.
An audio CAPTCHA is a list of letters or numbers read along with additional audio distortion. The user has to list the characters correctly to gain access like with a regular visual CAPTCHA. A team of researchers from Stanford University, led by Elie Bursztein, has developed an algorithm that can automatically defeat audio CAPTCHAs. The ability to automatically solve CAPTCHA puzzles would allow spammers to create new accounts and thus even more spam.
Bursztein has previously demonstrated the weakness of audio CAPTCHAs in 2008, but the researcher’s new work shows the ability to crack more sophisticated, presumably more secure CAPTCHAs. The algorithm, called deCAPTCHA, was designed to process sound as closely as possible to the way the human ear absorbs and relays sound information to the brain. The algorithm focuses on lower-frequency sounds while tuning out most of the background noise that distorts an audio CAPTCHA.
The algorithm successfully defeated half of all audio CAPTCHAs from Microsoft and Yahoo. Microsoft then developed a new audio CAPTCHA, which the deCAPTCHA algorithm was still able to conquer in 1.5% of cases. According to Bursztein if an audio CAPTCHA can be defeated in more than 1% of cases the security measures are as good as a “free pass.”
The researchers intend to keep working to defeat different types of audio CAPTCHAs, including more sophisticated versions like those that have two voices reading different combinations of letters at the same time, and those that combine letters with music.
(via Technology Review)
Have a tip we should know? [email protected]