Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Google's Audio CAPTCHA Falls To Automated Attack

Posted by kdawson on Friday May 02, @11:01AM
from the what-you-say dept.
Google Security
SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."

Related Stories

[+] Windows Live Hotmail CAPTCHA Cracked, Exploited 362 comments
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?
Firehose:Google's Audio CAPTCHA falls to Automated Attack by SkiifGeek (702936)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Google's Audio CAPTCHA Falls To Automated Attack 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • probably borrowing from IVR technology (Score:3, Interesting)

    by revlayle (964221) on Friday May 02, @11:13AM (#23275046)
    some of the advanced IVR solutions (Interactive Voice Response... for like customer support or paying bills on the phone) can pick out numbers and words pretty well even under some noise conditions. so I am not totally surprised that this cracked the audio CAPTCHA.

    • Re: (Score:3, Insightful)

      by Qzukk (229616)
      IVR works as well as it does because it only has to understand numbers when it's expecting numbers and words when it's expecting words (and then only the words it expects to hear, try yelling "banana" at one). Also try calling your credit card company and

  • It was bound to happen (Score:3, Interesting)

    by Half-pint HAL (718102) on Friday May 02, @11:16AM (#23275092)

    Right from the start it was clear that audio captchas were theoretically easier to break than visual ones.

    An image captcha is designed to require a mixture of perception and thought, but an audio one has to rely on pure perception, because it's temporary. You hear it then it's gone: you can't analyse it. This makes it infinitely less complicated that a video one.

    It's only because of low uptake that it's taken so long for a true proof-of-concept attack.

    HAL.

  • Spread the love (Score:5, Funny)

    by snarfies (115214) on Friday May 02, @11:19AM (#23275140) Homepage
    "News about the discovery is slowly starting to spread."

    And, thanks to Slashdot, news about the discovery is now RAPIDLY spreading.

  • captchas are obsolete (Score:2, Interesting)

    by Anonymous Coward
    do something else. show me a picture of an object and ask me (in a multiple-choice test?) what it is...a tree, a car, a house, a flower, whatever.

    and for the sight-impaired, how about a read description or definition of something? "this thing is the entran
  • So given that (I assume) all audio CAPTCHAs have the same problem (i.e., the numbers and clearer voices can easily be found using audio analysis), does that mean that all audio-based CAPTCHAs are bound to fail?

  • Solving CAPTCHAs is a waste of time (Score:3, Insightful)

    by sakdoctor (1087155) on Friday May 02, @11:25AM (#23275250) Homepage
    Apart from OCRing books, I can't think of anything else that is not a total waste of human time. How about meta-moderating as a CAPTCHA activity; probably too fuzzy to work to a reasonable degree of accuracy.

    Basically I think the arms race is already over, and a new paradigms is needed,
    • Classifying porn pictures. This is very useful, girl-on-girl, top half only, etc...

      Realistically, providing one word description for a bunch of pictures could be useful. I know google setup a "game" for this months ago.
  • CAPTCHA technology is going to have a very difficult time over the next few years. Finding tasks (which can be implemented on standard computer systems and transmitted over the internet) that are trivial for humans but exceedingly difficult for computers
  • Spam is already a pretty ethically dubious thing, but this should be viewed differently in the eyes of the law (in the event we actually catch somebody behind it in a 1st world country). Sort of how if you assualt an able bodied man on the street you'll be
  • Paying 3rd-world human beings usually gets past captchas.

    A partial solution is to limit the services you offer based on how well you know them. Anonymous? Offer very limited services.
    Anonymous but tied to an existing email address? Offer a bit more.
    Auth
    • "Authenticated by street address, driver's license number, and a notary? Assume they are legit, you can always sue the notary if they aren't."

      Just another database to be stolen and used to create credit hell for those people listed in the database.

      No thank
  • Spammers need to be shot.

    The only reason to have these things is to try to limit spambots. Imagine if instead of spending Millions of dollars developing and maintaining anti spam technology, we used the money to assassinate Spammers, and the producers of t
    • Ha, we're getting the spammers to fund AI research...the more we make captcha's like Touring tests, the more they'll do AI research in their attempts to break it.

  • There was a captcha a while ago that pulled pictures and "hottness" information from hotornot.com, then asked the user to select three of the 9 people that were "hott". link [hotcaptcha.com]

    While this approach probably wouldn't be very appropriate for "serious" companies t
    • The problem is that all these options require photographs, which mean each new CAPTCHA requires some human-work to produce. If we're going to prevent spammers from just exhaustively cataloging the right answers, we need an automatable, procedural way to ge

  • I think the capcha thing is about over. One alternative is identifying new users by texting a password to their cell phone. One account per cell phone number. This limits access to people with computers but not cell phones, but that's not much of an iss

  • I've wanted to gripe about this for ages, but here it finally seems on-topic:

    Slashdot's audio CAPTCHA is a joke.

    The computer voice SPELLS the word for you letter-by-letter. A bot wouldn't even have to use heuristics-based speech recognition, just searching
  • The fundamental problem with captcha's is that they are using computers to come up with problems for humans. If a computer can come up with the problem, a computer can come up with the solution.

    Captcha's so far are relying on a human strengths at visual pe

    • Re: (Score:2, Interesting)

      by carlvlad (942493)
      I hardly ever fail CAPTCHAs before, but ever since RapidShare implements their new CAPTCHAs it made me realized of how many more people suffered through annoyance of this. Kinda ironic though, it was supposed to weed out non-human. Reminds me of the Dilbe
    • If you listen to Google's captcha, you'll see that it is filled with nonsense voices as well as the real voice. You can still make out the real voice, but it's not entirely trivial. A great improvement, like TFA suggests, would be to use complete words rat

    • Re: (Score:3, Insightful)

      by liquidpele (663430)
      As if 400 tries in an hour with an 50% failure rate from one IP wouldn't throw flags with any type of captcha.... I really can't understand how these services can *not* see bots doing this, unless the bots are doing it at slow random intervals...

    • Re:More easier to detect a bot (Score:4, Funny)

      by Keichann (888574) on Friday May 02, @12:40PM (#23276296)
      If only somebody could distribute their bots into a kind of network? Then you'd get traffic arriving from all over the place, that would be significantly more difficult to detect!

      Quick, mod this post down, in case a neer-do-well were to get any ideas.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.