Researchers at Lancaster University in the UK and Northwest University and Peking University in China have found a way to get around CAPTCHA security with new artificial intelligence, according to research published in a paper titled Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach.
The research findings were presented at the ACM Conference on Computer and Communications Security (CCS) 2018 in Toronto.
“Text-based captchas are extensively used to distinguish humans from automated computer programs,” researchers wrote. “While numerous alternatives to text-based captchas have been proposed, many websites and applications still use text-based captchas as a security and authentication mechanism. These include the majority of the top-50 popular websites ranked by alexa.com as of April 2018, including Google, Microsoft, Baidu, and many others.”
Researchers asserted that their approach to an effective text CAPTCHA solver requires far fewer real CAPTCHAs but result in better performance. “We evaluate our approach by applying it to 33 captcha schemes, including 11 schemes that are currently being used by 32 of the top-50 popular websites including Microsoft, Wikipedia, eBay and Google. Our approach is the most capable attack on text captchas seen to date.”
Their approach consists of four steps, beginning with CAPTCHA synthesis, followed by preprocessing, training the base solver and fine-tuning the base solver.
“What makes some CAPTCHAs raise above these sophisticated attacks are not the CAPTCHAs or challenges themselves, but the risk assessment behind the challenge,” said Shane Martin, software consultant of customer success at NuData Security, a Mastercard company.
“If an attacker used this method to solve CAPTCHA challenges that are built on top of enhanced security solutions such as behavioral biometrics technology, the risk assessment would recognize that an automated system was completing the challenge and would then increase the challenge complexity until the challenge could not be solved. This is why it’s important to avoid CAPTCHAs as standalone products and have them as an interdiction that appears after an accurate risk assessment.”