7th December 2018

AI can solve CAPTCHA tests in under 0.05 seconds

Researchers have created a new algorithm, based on deep learning, which is able to solve text-based CAPTCHA tests in less than 0.05 seconds.

Artificial intelligence could spell the end for one of the most widely used website security systems. A new algorithm, based on deep learning methods, is the most effective solver of CAPTCHA security and authentication systems to date. CAPTCHA is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart", a type of challenge–response test used in computing to determine whether or not the user is human.

Text-based CAPTCHAs use a jumble of letters and numbers, alongside other security features such as occluding lines, to distinguish between humans and malicious automated computer programmes. The system relies on people finding it easier to decipher the characters than machines.

Developed by computer scientists at Lancaster University in the UK as well as Northwest University and Peking University in China, the new algorithm delivers significantly higher accuracy than previous CAPTCHA attack systems, and is able to successfully crack versions where previous attacks failed. It is also highly efficient, able to pass a test within 0.05 seconds on a desktop PC.

It works by using a technique known as a 'Generative Adversarial Network', or GAN. This involves teaching a CAPTCHA generator programme to produce large numbers of training CAPTCHAs that are indistinguishable from genuine CAPTCHAs. These are then used to rapidly train a solver, which is then refined and tested against real CAPTCHAs.

By using a machine-learned automatic CAPTCHA generator, the researchers are able to significantly reduce the effort, and time, needed to find and manually tag CAPTCHAs to train their software. It only requires 500 genuine CAPTCHAs, instead of the millions that would normally be needed to effectively train an attack programme. Previous CAPTCHA solvers are specific to one particular CAPTCHA variation. Prior machine-learning attack systems are labour intensive to build, requiring a lot of manual tagging to train the systems. They are also easily rendered obsolete by small changes in the security features used within captchas. Because the new algorithm requires little human involvement, it can easily be rebuilt to target new, or modified, CAPTCHA schemes. The programme was tested on 33 CAPTCHA schemes, of which 11 are used by the world's most popular websites including eBay, Wikipedia and Microsoft.

Dr Zheng Wang, Senior Lecturer at Lancaster University's School of Computing and Communications and co-author of the research, said: "This is the first time a GAN-based approach has been used to construct solvers. Our work shows that the security features employed by the current text-based CAPTCHA schemes are particularly vulnerable under deep learning methods.

"We show, for the first time, that an adversary can quickly launch an attack on a new text-based CAPTCHA scheme with very low effort. This is scary because it means that this first security defence of many websites is no longer reliable. This means CAPTCHA opens up a huge security vulnerability which can be exploited by an attack in many ways.

Mr Guixin Ye, lead student author of the work, said: "It allows an adversary to launch an attack on services, such as Denial of Service attacks, or sending spam or phishing messages, to steal personal data or even forge user identities. Given the high success rate of our approach for most of the text CAPTCHA schemes, websites should be abandoning captchas."

The researchers believe websites should now be considering alternative measures that use multiple layers of security – such as a user's use patterns, device location or even biometric information.

---

• Follow us on Twitter

• Follow us on Facebook

• Subscribe to us on YouTube

Comments »