The researchers at Lancaster University in UK and Northwest University and Peking University in China has recently found out a way to get around CAPTCHA security with new artificial intelligence, according to research published in a paper titled Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach.
These researchers finding were showcased at the ACM Conference on Computer and Communication Security (CCS) 2018 in Toronto, Canada.
“Text-based captchas are extensively used to distinguish humans from automated computer programs,” researchers wrote. “While numerous alternatives to text-based captchas have been proposed, many websites and applications still use text-based captchas as a security and authentication mechanism. These include the majority of the top-50 popular websites ranked by alexa.com as of April 2018, including Google, Microsoft, Baidu, and many others.”
The researchers have asserted that their approach is to an effective and text CAPTCHA solver requires far fewer real CAPTCHAs but result in better performance. “We evaluate our approach by applying it to 33 captcha schemes, including 11 schemes that are currently being used by 32 of the top-50 popular websites including Microsoft, Wikipedia, eBay and Google. Our approach is the most capable attack on text captchas seen to date.”
The approach which consists of four steps, which starts with CAPTCHA synthesis, that is followed by preprocessing, training the base solver and fine tuning the base solver.
“What makes some CAPTCHAs raise above these sophisticated attacks are not the CAPTCHAs or challenges themselves, but the risk assessment behind the challenge,” said Shane Martin, software consultant of customer success at NuData Security, a Mastercard company.
“If an attacker used this method to solve CAPTCHA challenges that are built on top of enhanced security solutions such as behavioral biometrics technology, the risk assessment would recognize that an automated system was completing the challenge and would then increase the challenge complexity until the challenge could not be solved. This is why it’s important to avoid CAPTCHAs as standalone products and have them as an interdiction that appears after an accurate risk assessment.”