kitschchaos.com

Breaking Captcha Code – are images secure?

by Michael Robin Cooke on May.03, 2009, under e-commerce

Sometimes a Spam reply can suggest an interesting topic. This is a Black Hat topic. I don’t recommend Black Hat SEO unless you mean to make your money quickly and get out, otherwise it’s likely the powers that be, Google, will catch on and sabotage your search engine rankings substantially.

What is CAPTCHA? It’s the funky letters you have to type in when filling a form, meant to thwart automation to ensure a person is doing the filling out.

captchaThis is an early example of what a Captcha image looks like.

Some Black Hat gurus will occasionally claim to have found a way to bypass CAPTCHA test and complete forms with automation anyway.

This is of some concern, people often use images of credit card numbers and other highly sensitive data for purposes such as email, on the understanding that images cannot be read digitally as text can. (Never use text in an email to send such sensitive information, a child with a linux box can collect the information wirelessly)

Are digital images insecure?

Here’s how Cpatcha could most likely be bypassed.

  • exploiting bugs in the implementation that allow the attacker to completely bypass the CAPTCHA,
  • improving character recognition software, or
  • using cheap human labour to process the tests.
  • brute-force – multiple sequential attacks instead of Recognition Software

Exploiting bugs: Poor implementation of CAPTCHA, could allow a hacker to reuse the session ID of a known Captcha image. A hash used by the Captcha to confirm a correct entry could be cracked. Implementations that only use a limited amount of Captcha images would be easily hacked with a limited directory of corresponding hashes. Hashes can be used to assist an OCR (Optical character recognition) attempt.

Character Recognition Software: You may be familiar with this sort of software if you’re ever scanned printed text into a computer and wanted to edit the text in a word processor – the scanned text has to be convertede from an image to text.

When it comes to using this technology to break Captcha code there’s three challenges:

  1. Pre-processing: eliminating background ‘noise’ and clutter.
  2. Segmentation – separating characters into separate regions
  3. Classification of the character

Steps 1 and 3 are pretty easy for a computer, but human beings are still better at the segmentation – determining where one letter ends and another begins. If the background clutter resembles letters and connects the letters, computers have a really hard time with it. Here’s a report of automation success in beating captcha.

Cheap Human Labour: Using a relay attack where the forms are automatically filled out and sent to a human worker to fill in the Captcha element is a vulnerability to the Captcha system. But, of course, this requires employees.

Brute Force: if the Captcha resets with each attempt, it complicates matters for a brute force attack, which usually relies on a static password and many attempts to get the right one.

If you write the code to break Captcha, you are breaking the law : http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act

So if you are thinking of buying software to do this for you, or to sell software that does this for others, you’re dealing in illegal technology.

And really, this is just for Black hat folks trying to automate everything.

So how is this of interest to others?

Well Captcha isn’t easy to break. So a captcha solution for something like phpbb, wich can attract a ton of Spam can be really effective.

And generally, images are secure, especially if they are non standard letter forms, or standard visual images.

Image Spam, for example – is the spam email you get in your in box by sending an image of text instead of simple text which spam filters examine for troublesome keywords and such.

I don’t recommend spamming, some States have profoundly aggressive laws to punish spam. A customer that might like your site or service, may dismiss doing business with you if you reached them with Spam.

But if you were to take advantage of, say, Craigslist.org advertising and wanted to post an ad to multiple cities (a website can be equally relavent worldwide even) – Criagslist may prevent you from posting the same text, but it won’t stop you posting the same image.

And if you ever must send sensitive information by email, an image file is still safer.

Share and Enjoy:
  • Print
  • email
  • Google Bookmarks
  • Ping.fm
  • Facebook
  • Technorati
  • Digg
  • TwitThis
  • del.icio.us
  • StumbleUpon
  • Propeller
  • Reddit
  • Yahoo! Buzz
  • MySpace
  • Mixx
  • Live
  • Blogosphere News
  • feedmelinks
  • MisterWong
  • blogmarks
  • LinkaGoGo
  • YahooMyWeb
  • eKudos
  • Haohao
  • NewsVine
  • Shadows
  • Slashdot
Blog Traffic Exchange Related Posts Related Websites

15 Comments for this entry

  • Craigslist Proxy
    May 4th, 2009 on 7:56 am

    Well, interesting angle on things I must say. Never thought of it from this point and I hope others have seen something of interest in it like me.

    Reply
  • How I Shed Thirty PĆ³unds in Thirty Days
    May 6th, 2009 on 2:36 am

    Hi, nice post. I have been pondering this issue,so thanks for sharing. I will probably be subscribing to your site. Keep up the good posts

    Reply
  • Private Label Rights
    July 25th, 2009 on 1:06 am

    This is a very informative post! Keep up the good work.

    Reply
  • search engine marketing guide
    January 14th, 2010 on 5:10 pm

    Hi and welcome. I’m sorry I missed out on your blog, but I used some of the ones I read as the basis, just to show different styles and ideas.

    Reply
  • Jamie Fox
    February 4th, 2010 on 4:54 pm

    Thanks so much for the great information. I’ve been doing a lot of research on this over the past few weeks.

    Reply
  • Marni Washer
    March 19th, 2010 on 11:28 pm

    Learning how to use private label rights products is easy. All you have to do is find items you would like to offer to your customer?s and then buy or download them at no cost. Once you have these items in your possession, you can alter them and then sell or give them away. The best thing to do with PLR products is to change it as much as possible, the main reason this is true is that others that have the product may not change the content and you need yours to be as original as possible.

    Reply
    • Michael Robin Cooke
      March 20th, 2010 on 2:16 am

      I thought of doing this, and found that the plr books I bought, pitched to me as high quality and informative e-books – were just crap.

      Really, working as you did in High school writing a paper, the simple discipline of learning a subject by reading articles and books allows you to generate entirely new e-books and articles, and perhaps of a better quality then your source material if you’ve thought on the subject and have personal experience or insights to share.

      It’s really the same sort of thing as taking an e-book and rewriting it, but the result, because you’re looking at more than once source, is the best of multiple sources of information and you not only have rights top the work, you can legitimately claim authorship.

      It’s not hard to write well, especially information. Think of the problem the person coming to your e-book is hoping to address, and give them really sound advice. It helps to have some expertise in the subject – but if you read many articles and a book or two you can be expert enough to write a very useful book or article.

      Reply
  • Maribel Novo
    March 25th, 2010 on 6:42 pm

    Just thought i would comment and say neat theme, did you code it yourself? Looks great. If you liketo swap the links with us please let me know.

    Reply
  • Salvia Divinorum
    May 8th, 2010 on 8:02 am

    There are a lot of ways of cracking Captcha, the easiest on is to hire someone to do it. In fact I stopped using Captcha in my blog because they don’t update their features and spammers just need a little amount of time to learn from anti-spam programs.

    Reply
    • Michael Robin Cooke
      May 12th, 2010 on 2:42 pm

      Nothing works 100%, but as that’s not a reason to not use a condom, it’s not a reason to not use captcha. The article just illustrates the difficulty in cracking captcha, it’s hard enough anyone able to do it would demand a great deal of money for their efforts I think. The same problem with hiring someone to do it for you.

      Reply
  • viagra
    June 28th, 2010 on 2:12 am

    I’ve been reading your blog for a while and to be honest I like it ;)

    Reply
  • home and family
    July 11th, 2010 on 2:55 am

    Hey friend How are You ? I like your post and i want to stumble it for my friend but i cant see your social bookmark widget in this blog. Please help me friend Thanks

    Reply
  • Proxy
    July 12th, 2010 on 11:15 am

    Thanks for the information on proxies. I have been researching proxies for a while now and cannot work out which proxy is finest for me to use. I included a link in my reference which provides an IP address to be entered in to browse. I can not determine if that is what I need to unblock websites.

    Reply

1 Trackback or Pingback for this entry

Leave a Reply

CommentLuv Enabled

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Mike’s shop


buy unique gifts at Zazzle

Archives

All entries, chronologically...