Artificial intelligence can fool Captcha security more than half the time

News by Rene Millman

Scientists use vision algorithms to sidestep security systems and machine-read CAPTCHA security words like a human.

An artificial intelligence algorithm has been created by scientists that can break CAPTCHA security systems more than half the time.

In a research paper, scientists working in a Californian AI start-up called Vicarious, said the software mimics how the human eye works and can be used to solve text-based CAPTCHA challenges. These are used by websites to tell human visitors from automated spammers.

The scientists developed a system called recursive cortical network (RCN) that converts CAPTCHA text into a correct input with significant accuracy. This RCN is different from other AI-based systems that use Convolutional Neural Network (CNN) to break CAPTCHA.

Scientists said that RCN is better than CNN as it needs less training. The RCN-based system required only five clean training examples per character to get 66.6 percent accuracy.

“In comparison to RCNs, a state-of-the-art CNN required a 50,000-fold larger training set of actual CAPTCHA strings, and it was less robust to perturbations to the input. Because the CNN required a large number of labelled examples, this control study used a CAPTCHA-generator that we created to emulate the appearance of reCAPTCHAs,” said researchers.

“With one model, we achieve an accuracy rate of 66.6 percent on reCAPTCHAs, 64.4 percent on BotDetect, 57.4 percent on Yahoo, and 57.1 percent on PayPal, all significantly above the one percent rate at which CAPTCHAs are considered ineffective,” the firm said in a blog post.

“When we optimise a single model for a specific style, we can achieve up to 90 percent accuracy.”

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that this is not the first time that CAPTCHA has been defeated.

“Back in 2014 Google's Street view algorithm defeated CAPTCHA with 99.8 percent accuracy by using a deep convolutional neural network directly on image pixels. However, this does not mean that CAPTCHA-using organisations will instantly become vulnerable, but only that a new method has been devised to – somewhat accurately – defeat CAPTCHA codes,” he said.

“New versions of the CAPTCHA are constantly being pushed out by Google to solve address the issue of telling humans of computers apart. Since CAPTCHA is a very commonly implemented technique for spotting bots, it's safe to say that it's also constantly being probed for vulnerabilities and ways for automatically bypassing it. We're not yet to the point where CAPTCHA's days are numbered, but as machine learning and OCR become more advanced, it's safe to speculate that CAPTCHA may be defeated one day and replaced with something else,” he added.

Josh Mayfield, director at FireMon, told SC Media UK that Instead of looking for CAPTCHA to mitigate entry, organisations can adopt a zero-trust framework along with two-factor authentication for any access point.  “Zero-trust entails segmenting networks so granularly that each asset can more or less function as its own contained network, sharing information with others, but with its own security policies.  This ‘microsegmentation' is a common program many organisations are already adopting,” he said.

“Most importantly, organisations can automate their policy controls.  Once you have segmented networks and established zero trust within and throughout, automating policy management is your linchpin.  If each task to block or grant access is a manual effort, it can be a daunting exercise.  Organisations moving to zero trust can make it practicable by automating policy controls that govern this new array.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews