Browse by author
Lookup NU author(s): Dr Jeff Yan, Ahmad Salah El Ahmad
This paper reports novel, low-cost attacks on two Yahoo CAPTCHAs - one of them had been deployed until very recently, and the other is still in active use for protecting Yahoo’s global email services. Both schemes are designed to be segmentation resistant - the state of the art suggests that such schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. Our attack achieved a segmentation success rate of around 77% on the first Yahoo scheme. As a result, we estimate that this scheme could be broken with an overall (segmentation and then recognition) success rate of about 60%. This is to date the most successful attack on the scheme. The second Yahoo scheme introduces enhanced security features, and has replaced the first scheme since March 2008. We identified for the first time a side channel attack, which aided us to achieve a segmentation success rate of around 33.4% on the second Yahoo scheme. As a result, we estimate that this scheme could be broken with an overall success rate of about 25.9%. Our results show that spammers never had to employ cheap human labour to pass Yahoo CAPTCHAs. Rather, they could rely on low-cost automated attacks.
Author(s): Yan J, Salah El Ahmad A
Publication type: Report
Publication status: Published
Series Title: School of Computing Science Technical Report Series
Year: 2008
Pages: 3
Print publication date: 01/11/2008
Source Publication Date: November 2008
Report Number: 1127
Institution: School of Computing Science, University of Newcastle upon Tyne
Place Published: Newcastle upon Tyne
URL: http://www.cs.ncl.ac.uk/publications/trs/papers/1127.pdf