A new study suggested that text-based CAPTCHAs, one of the most widely used website security mechanisms, are no longer safe when facing smarter artificial intelligence.
Text-based CAPTCHA uses a jumble of distorted or blurred letters, characters and numbers to distinguish humans from computer programs, to block the latter from accessing polls and auctions disguised as a human user. This reverse Turing test builds on the belief that people are more adept at recognizing these symbols than machines.
But researchers from China’s Northwest University, Peking University, and Lancaster University in Britain said they developed a new algorithm, based on machine learning, that can break most text-based CAPTCHAs within 0.05 seconds.
The research was published in a paper presented at the ACM Conference on Computer and Communications Security (CCS) 2018 in Toronto. It described the algorithm as “generic, low-effort yet effective” compared with previous attacks on CAPTCHAs that could be laborious and scheme-specific.
Fang Dingyi, co-author of the paper at Northwest University, said the program had been tested on CAPTCHA schemes used by 50 popular websites including those operated by Google, Wikipedia, Microsoft, Baidu, Alibaba, and Tencent.
Overall, the program had a success rate of over 50 percent of decoding CAPTCHAs on most websites within 0.05 seconds. Its success rate of decoding certain Google CAPTCHAs, considered to be the most difficult, stood at 3 percent.
“It is widely believed that a CAPTCHA scheme is ineffective if the decoding rate is above 1 percent,” said Tang Zhanyong, co-author of the paper at Northwest University.
The AI tool draws on a technique known as the “generative adversarial network,” or GAN. It teaches a CAPTCHA generator program to produce large numbers of training CAPTCHAs, which are then used to train a solver to break real CAPTCHAs.
“This research suggests one can easily launch an attack on a new CAPTCHA scheme using AI. It means that this first defense of many websites is no longer reliable,” said Fang.
The researchers advised website owners to consider deploying alternative multiple-layer security mechanisms. Fang said his team is looking at ways to develop a more reliable CAPTCHA system.
“We want to offer an alternative to the current text-based CAPTCHA scheme. The alternative should improve its security without compromising the user experience,” Fang said.