CAPTCHA Security Weak On Popular Websites

Engineers at Stanford University developed software that was able to unravel the security sequence, called a CAPTCHA, more than 40 percent of the time on eBay, 35 percent on Slashdot and one in four attempts on Wikipedia. Of the 15 sites tested against the researcher’s Decaptcha tool, 13 failed.

The findings are important because CAPTCHAs, which stand for Completely Automated Public Turing test to tell Computers and Humans Apart, are supposed to block criminals from using computers to flood social networks, online marketplaces and webmail services with spam and scams. The funny looking letters and numbers in CAPTCHAs are supposed to be indecipherable by computers. That wasn’t the case for the majority of the sites tested.

Researchers’ success rates were 50 percent or higher on Authorize.net, Blizzard, Captcha.net, Megaupload and the National Institute of Health site. Success rates of 25 percent to 49 percent were recorded on eBay, Reddit, Slashdot and Wikipedia; 10 percent to 24 percent on CNN and Digg; and 1 percent to 10 percent on Baidu and Skyrock. Sites on which researchers were able to circumvent CAPTCHAs 1 percent of the time or higher were considered broken. The only ironclad CAPTCHAs were found on Google and Recaptcha. Google bought CAPTCHA-creation service reCAPTCHA two years ago.

Elie Bursztein, a post doctorate researcher at Stanford Security Laboratory and a co-author of the study, said Monday that in the year and a half since the study was done, Authorize.net, which provides credit card and other payment services to merchants, and tech news site Digg have started using reCAPTCHA. Researchers were not sure whether any changes have been made on the other sites. "It’s pretty hard to tell," Bursztein says. "People are not very open about what they do with their CAPTCHAs."

The high rate of weak CAPTCHAs is the result of many sites designing their own characters and then using them without adequately testing their effectiveness, Bursztein says. The study found that CAPTCHA effectiveness could be greatly improved by randomizing character length and size, removing space between the letters and numbers, and using a wave type of distortion. At the same time, sites can adopt more user-friendly features, such as fewer characters and a plain background, without compromising security.

"We can have something that’s easier for humans, rather than only have something that is secure," Bursztein says.

The study, called Text-based CAPTCHA Strengths and Weaknesses, was presented last month at the ACM Conference On Computer and Communication Security in Chicago.