How Hackers Listened Their Way Around Google's Recaptcha

An anonymous reader writes with this story at Ars Technica: "Three self-taught hackers from the DC949 hacker collective managed to use a combination of techniques to beat ReCaptcha with 99.1% accuracy (better than most humans!)" In short, the hackers skipped the visual part of the Recaptcha system entirely, focusing on the audio alternative, which gave them a few convenient angles of attack. Google responded with changes to the system, but that doesn't minimize their accomplishment.

Gone too far...

[whydavid]

I had one of these the other day that was beyond absurd. The visual was a complete scrambled mess, with nearly every letter seemingly equally likely too be 2 or 3 different letters. The audio was even worse: loud gibberish in the foreground with what sounded like someone whispering the actual text in the background. It wasn't until 2 reloads later that I was lucky enough to get a recaptcha that was only slightly ambiguous, and I was able to get it on the 2nd guess. I was far more annoyed at this than I ever have been at a spambot. I'm not sure this is a step in the right direction. Time to move away from garbled text.

Re:"Better than most humans"

[Anonymous Coward]

...especially if they solve them in less time than the duration of the audio. (Only half kidding: They solved millions of eight second long captchas in a second and a half each and Recaptcha didn't even blink.)

Re:How far behind were the criminals/spammers?

[icebike]

Quote summary:

Google responded with changes to the system, but that doesn't minimize their accomplishment.

On the contrary, yet is does minimize their accomplishment. It makes it all for nothing, a technical exercise, with no near term or long term payback.
Recaptcha is a huge con, no more secure then the original captcha. The second (or first) portion being there only to serve some other purpose, and any answer will do.

Adding the audio option (probably forced by ADA) did nothing for security. At best this demonstrates that adding multiple different keys to the same lock makes things worse, not better.

Captcha's original intent was to slow down bots, by making the user prove they were human. They are seldom used to protect anything
of value, simply to keep the nuisance bots to a dull roar.

Now it appears that machines can beat captcha and recaptcha very easily. So WHY do we still see these schemes in use?

Re:How far behind were the criminals/spammers?

[bill_mcgonigle]

On the contrary, yet is does minimize their accomplishment. It makes it all for nothing, a technical exercise, with no near term or long term payback. Recaptcha is a huge con, no more secure then the original captcha. The second (or first) portion being there only to serve some other purpose, and any answer will do.

It's funny that you'd complain about a waste of effort and then bemoan Recaptcha, which was developed to prevent all those man-years of solving CAPTCHA's from going to waste.

BTW, the founder of Recaptcha has expressed that he will be happy when it can be defeated trivially because at that point the other job it's trying to do can be completely automated, which is still a win.

Re:Singularity

[mcgrew]

You bring to mind something I read long ago, too long ago for a citation. A researcher was running a turing test with one subject seeing if he could decide which terminal was a computer and which had a computer on the other end.

The tester just sat there without inputting anything. Pretty soon a message came up on one screen: "Is there anybody there?"

"That's the human," the tester said