Captcha Recognition via AveragingThis article describes how certain types of captchas (such as the ones used by a German online-banking site) can be automatically recognized using software. The attack does not recognize one particular captcha itself but exploits a design error allowing to average multiple captchas containing the same information. IntroductionA captcha (acronym for Completely Automated Public Turing test to tell Computers and Humans Apart") is a challenge-response test frequently used by internet services in order to verify that the user is actually a human rather than a computer program. Commonly, captchas are dynamically created images of random numbers and/or letters. These images are distorted in some way so that the human eye can still recognize them but with the goal to make automatic recognition impossible. Captchas are used e.g. by freemail services to prevent automatic creation of a huge number of email accounts, and also by online banking systems e.g. against automated fraud once TANs are known from a phishing attack. AveragingAveraging is a common method in physics to reduce noise in input data. The averaging attack can be used on image-based captchas if the following conditions are met:
Averaging of a series of images can be used to improve image quality (reduce distortion, or improve signal-to-noise ratio, so to say) of captchas and hence to make them more easily recognizable by OCR (optical character recognition) systems. This article is not about an especially clever way to defeat a captcha. Instead, what is exploited here, is the fact that noise and payload behave differently on "reload". This allows to separate them and hence defeat the captcha without the need for a sophisticated algorithm. Example: www.portal-banking.deHere is a series of captchas from a certain German bank using the online interface provided by www.portal-banking.de. To extract a series of captchas with the same information (number) in them, it is sufficient to repeatedly call their captcha generator. On the left side, you can see the generated captchas, on the right side is an average of this image and all previous ones.
The images show a uniform 10x10 pixel grid which is easily removed by averaging the neighbouring off-grid lines and columns (following images scaled up by a factor of 2 without interpolation to be better visible):
The blurriness in the upper half stems from higher variation in the input images in that part of the image. The rightmost image is no particular hard task for an OCR system given the nearly uniform gray background which is easily subtracted. In fact, after removal of the black border (and no further postprocessing; image size 79x18px), the free online OCR engine SimpleOCR correctly converted the above image into "197846". To make the point, here are some more examples; the image in the center column is the one fed into the OCR engine (average of 16 captchas, then grid removal as pointed out above; the image sent to the OCR service is 79x18px, the images presented below are scaled up by a factor of 2 without interpolation for clarity).
Failure rate: No attempt was made to estimate the failure rate. A total of 4 tests (presented above) was performed and none of them failed. CountermeasurementsThe presented averaging method can easily be defended against:
|