Microsoft's CAPTCHA Successfully Cracked

Filed in archive Spam News on May 31, 2008

Photo courtesy of iStockphoto, Image# 4598913

Researchers at the School of Computing Science, Newcastle University, Englandm, have announced they've successfully cracked Microsoft's CAPTCHA system, which is used on services like Windows Live and Hotmail. The researchers claim an amazing 92% recognition rate. Here is a summary of the paper they published on their study:

In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took ~80 ms for our attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that "automatic scripts should not be more successful than 1 in 10,000″ attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

This is not the first time a CAPTCHA system has been cracked. Both Google and Yahoo have had their systems breached as well. This latest successful crack is just another sure sign that CAPTCHA's time is done and a better system is sorely needed!