Computers now able to cheat CAPTCHAs

Some of the common tests used by websites to distinguish between legitimate flesh-and-blood visitors and malicious human-mimicking computers recently appear to have been outwitted.

The human verification tests, which typically require users to identify deformed letters set against a cluttered backdrop, were broken by a computer. The computer then repeatedly created free Hotmail e-mail accounts and sent spam from them, according to Websense, the security firm that detected the hacking.

The attack followed similar ones this year against Microsoft's Live Mail accounts and Google's Gmail. Recently, the security firm reported a similar attack on Google's Blogger.

“What we're noticing over the last year is that these tests meant to tell the difference between a human and a computer are being targeted by more and more malicious groups,'' said Stephan Chenette, manager of security labs at Websense, the firm based in San Diego that reported the attacks. “And they are getting better at it.''

Spam is the goal

Spam, or unsolicited e-mails, are the ultimate aims of such schemes. Solving the human verification tests with computers allows spammers to rapidly create new e-mail accounts from which to issue spam, estimated by Ferris Research to cost the US economy $42 billion annually.

The problem of telling computers and humans apart has a long tradition in artificial intelligence theory.

In a landmark paper in 1950, British mathematician Alan Turing proposed that a machine could be said to “think'' if it could carry on a conversation — via teletype — in a manner that was indistinguishable from a human.

But the practice of distinguishing humans from computers has taken on a far more practical role in the internet age.

Anyone who has signed up for an e-mail account, bought show tickets or created a free blog, is likely to be familiar with these modern tests of humanity: They ask visitors to identify a string of wavy, deformed letters.

The letters are supposed to be impossible for computers to read in the time allotted but relatively easy for humans.
“The free e-mail accounts and blogs are like gold to the malicious attackers,'' Chenette said. The reason is that spam filters are less likely to block items from these free services.

One of the first such tests was developed by Yahoo, which was having trouble with malicious computers signing up for the company's free Webmail service. They dubbed the tests CAPTCHAs, an acronym with a nod to Turing: “Completely Automated Public Turing Test to Tell Computers and Humans Apart.''

Yahoo's initial system, however, was quickly hacked by computer scientists who programmed their computers with optical character recognition systems to solve the visual riddles.

To improve their system, Yahoo changed their puzzles from words to random letter strings and set the letters against more background clutter.

The latest reported CAPTCHA attacks, however, were carried out by academics not spammers.

Honey pot decoys

They were reported by Websense, which deploys many decoy computers around the world — which they call “honey pots'' — to attract such attacks.

The attacks on Google's Gmail service and on Microsoft's Live Mail were reported in February. At the time, however, it was difficult to tell from the evidence whether the CAPTCHAs were being solved by computers or low-wage Russian workers — or both.

A web page found on the computer appeared to offer, in Russian, small amounts of money for workers willing to crack the puzzles.

But the speed and repetition of the attack as well as the very high error rate in solving the tests, suggested to some at Websense that computers not humans were at work.

The attack that most clearly signals that computers were solving a CAPTCHA came about a month ago, when Websense detected what appeared to be some malicious traffic from one of its “threat-seeker'' honey pots.

Once it attracted the malicious code, the decoy sought repeatedly to create Hotmail accounts.Over and over, when it was presented with the Hotmail CAPTCHA, it sent the letter puzzle to another computer.

That computer would respond within about six seconds, a speed that leads computer analysts to think the CAPTCHA was being cracked by a computer, not a human.

Microsoft and other web companies say they are interested in creating human verification tests that are harder for computers to crack. But there is an inherent difficulty.

Making the tests harder for the computer makes them harder for humans, too.