A pair of researchers at Newcastle University’s School of Computing Science have successfully cracked Microsoft’s CAPTCHA system. The system is used for such services as Windows Live and Hotmail. The duo claims an amazing 92% recognition rate. Here’s an excerpt from the paper they published about it:

          “In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that “automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.”

The researchers did notify Microsoft before publishing their research but there is no word on what their response was. Over the past year there have been many such incidents of CAPTCHA systems being thwarted, including those of Ebay, Yahoo! and Google. This clearly illustrates that the effectiveness of such systems is dwindling while demand for CAPTCHA breaking tools is at an all time high. Some of the breaking is done by automated programs but there are also reports that some spammers are paying actual live humans to do the cracking for them, shelling out $3US for every successful solution.

There are several non-text based CAPTCHA alternatives being tested, including IMAGINATION, which presents the user with a page filled with overlapping and slightly distorted images. If they correctly pick out the geometric center of one of the images, you’re presented with another distorted image and must pick a word to describe it. Another one is called Kitten Auth, where the user is presented with a group of images depicting cute animals and is asked to click on all the images of a particular one. It’s clear that text based CAPTCHA’s are now too easy to crack. The question now is how effective these new image based systems will be, and perhaps most importantly, how will legit users react to using them? Time will soon tell.