Researchers have shown how website security captchas are vulnerable to cyber attacks, by creating a new algorithm which easily defeats the captchas on most popular websites across the world.
The new algorithm is based on deep learning methods and effectively solves captcha security and authentication systems, which the research team said shows the vulnerability of website security captchas to cyber attacks.
Why are website security captchas insecure?
Text-based website security captchas use a jumble of letters and numbers, as well as security features such as occluding lines. The technology relies on humans being more able to decipher the characters than machines. However, the new machine learning algorithm has shown that this is not the case.
Dr Zheng Wang, Senior Lecturer at Lancaster University’s School of Computing and Communications and co-author of the research, said: “Our work shows that the security features employed by the current text-based captcha schemes are particularly vulnerable under deep learning methods. We show for the first time that an adversary can quickly launch an attack on a new text-based captcha scheme with very low effort. This is scary because it means that this first security defence of many websites is no longer reliable. This means captcha opens up a huge security vulnerability which can be exploited by an attack in many ways.
Mr Guixin Ye, the lead student author of the work said: “It allows an adversary to launch an attack on services, such as Denial of Service attacks or spending spam or fishing messages, to steal personal data or even forge user identities. Given the high success rate of our approach for most of the text captcha schemes, websites should be abandoning captchas.”
The algorithm was developed by computer scientists at Lancaster University in the UK as well as Northwest University and Peking University in China. It has a higher accuracy than previous captcha attack systems, and is able to successfully crack versions of captcha which could not previously be cracked.