Thursday, 26 May 2011

Captchas and Internet Security

Captcha - the word test used to check if website users are human has now been cracked by IT experts in the USA who have developed software which proves that it can be beaten.

The word captcha stands for Completely Automated Public Turing Test, it was coined in 2000 and is used to tell computers and humans apart. It uses one or two distorted words which are keyed in to prove that there is actually a user rather than an automated computer programme at work. It is supposed to stop scammers from using automated programmes to send out messages but it is clearly not foolproof as it's vulnerability lies in the audio method of recognising letters or numbers.

The new programme has been dubbed Decaptcha and it beats audio captchas 89% of the time. The researchers listened to 200 captchas for a period of 20 minutes and the Decaptcha method beat ebay 82% of the time and Yahoo by 45.4%. It manages to do this by sampling the audio and marking out what it thinks are letters or numbers based on what was heard before. The programme has a library and it matches the suspected character with one of the characters which makes the best match in there.

It is feared that cyber criminals could use a programme like this to bypass security on various websites and that ticket touts for instance could pretend to be real sports fans and get tickets for the best seats at events and sell them on at extortionate prices. Three men in California have already bought 1.5 million tickets for Broadway shows and Bruce Springsteen concerts by using automated programmes to crack captchas. Fans paid a fortune for them.

An attacker would only need a computer algorithm which solves one captcha out of a hundred to set up enough phoney accounts to manipulate user behaviour or to target other sites and do untold damage.

http://www.negotiatenow.co.uk