Researchers in the Stanford Computer Science Department, working in tandem with researchers from Tulane University and the French National Institute for Research in Computer Science and Control (INRIA), created a program called “deCAPTCHA” that is capable of passing an audio Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA).
Everyday Internet users know CAPTCHA tests as the distorted characters they must interpret for access to certain online content.
The team presented the multi-year project to design the program last May at the Institute for Electronics and Electrical Engineers (IEEE) symposium on security and privacy in Oakland, Calif.
CATPCHAs were created in response to spammers and hackers creating multiple accounts to take advantage of a system. For example, a person could use a program that created hundreds of accounts to simulate popularity of online content on sites such as YouTube, Digg and Reddit. CAPTCHAs are intended to provide a guarantee that each account is made by a person, not a computer program.
Standard CAPTCHAs are widespread and most often take the form of characters that have been distorted and masked with crossing lines. The audio CAPTCHA is an alternate option to the visual CAPTCHA for the visually impaired, combining spoken letters and numbers with background noise to confuse any automated attempt to decode it.
Computer science professor John Mitchell and post-doctoral student Elie Bursztein led a team from the Stanford Security Lab, as well as from other universities, in creating the program dubbed “deCAPTCHA,” which focuses on decrypting the audio-based CAPTCHA.
DeCAPTCHA uses several machine-learning algorithms to create a “smart” program that learns from the examples that it is given. First, deCAPTCHA is fed the raw vowel and number sounds that it is supposed to be listening for. It then listens for these sound patterns in the audio clips it is given by separating the desired sound signals from the rest of the audio pattern.
DeCAPTCHA has the potential to be used maliciously, but researchers hope that presenting the program to security development teams before making the information public will limit damage.
Security companies must deal not only with software developments, but also selling human labor in order to decode CAPTCHAs, often at a rate below $1 per 1,000 CAPTCHAs decoded. Thus, the burden of the CAPTCHA also lies in making a test that distinguishes normal users from people sitting in a room listening to thousands of clips in an hour.
“CAPTCHA is critical to the Open Web that we have which lets anybody anywhere in the world create an account,” Mitchell said. The importance of CAPTCHA makes the success of deCAPTCHA much more troubling, with success rates ranging from 1.5 percent for reCAPTCHA, a company that specializes in hard-to-crack CAPTCHAs, to 82 percent for eBay. ReCAPTCHA success rates may sound low, but it means a brute force attack would still be effective against these websites.
Mitchell recommended specific updates to make CAPTCHAs harder to crack.
“People are pretty good at filtering out predictable noise,” Mitchell said. He suggested introducing background music or repetitive sounds in order to confuse programs like deCAPTCHA, while remaining accessible to users.