Nav:  [home][misc] > [captcha]
 

Captcha Recognition via Averaging

This article describes how certain types of captchas (such as the ones used by a German online-banking site) can be automatically recognized using software. The attack does not recognize one particular captcha itself but exploits a design error allowing to average multiple captchas containing the same information.

Introduction

A captcha (acronym for Completely Automated Public Turing test to tell Computers and Humans Apart") is a challenge-response test frequently used by internet services in order to verify that the user is actually a human rather than a computer program. Commonly, captchas are dynamically created images of random numbers and/or letters. These images are distorted in some way so that the human eye can still recognize them but with the goal to make automatic recognition impossible. Captchas are used e.g. by freemail services to prevent automatic creation of a huge number of email accounts, and also by online banking systems e.g. against automated fraud once TANs are known from a phishing attack.

Averaging

Averaging is a common method in physics to reduce noise in input data. The averaging attack can be used on image-based captchas if the following conditions are met:

  • The predominant distortion in the captcha is of noise-like nature.
  • It is possible to extract a series of different images with the same information encoded in them.

Averaging of a series of images can be used to improve image quality (reduce distortion, or improve signal-to-noise ratio, so to say) of captchas and hence to make them more easily recognizable by OCR (optical character recognition) systems.

This article is not about an especially clever way to defeat a captcha. Instead, what is exploited here, is the fact that noise and payload behave differently on "reload". This allows to separate them and hence defeat the captcha without the need for a sophisticated algorithm.

Example: www.portal-banking.de

Here is a series of captchas from a certain German bank using the online interface provided by www.portal-banking.de. To extract a series of captchas with the same information (number) in them, it is sufficient to repeatedly call their captcha generator. On the left side, you can see the generated captchas, on the right side is an average of this image and all previous ones.

CaptchaAverage CaptchaAverage
n=1 captcha-0 [1kb]captcha-0 [2kb] n=9 captcha-8 [1kb]captcha-8 [2kb]
n=2 captcha-1 [1kb]captcha-1 [2kb] n=10captcha-9 [1kb]captcha-9 [2kb]
n=3 captcha-2 [1kb]captcha-2 [2kb] n=11captcha-10 [1kb]captcha-10 [2kb]
n=4 captcha-3 [1kb]captcha-3 [2kb] n=12captcha-11 [1kb]captcha-11 [1kb]
n=5 captcha-4 [1kb]captcha-4 [2kb] n=13captcha-12 [1kb]captcha-12 [1kb]
n=6 captcha-5 [1kb]captcha-5 [2kb] n=14captcha-13 [1kb]captcha-13 [1kb]
n=7 captcha-6 [1kb]captcha-6 [2kb] n=15captcha-14 [1kb]captcha-14 [1kb]
n=8 captcha-7 [1kb]captcha-7 [2kb] n=16captcha-15 [1kb]captcha-15 [1kb]

The images show a uniform 10x10 pixel grid which is easily removed by averaging the neighbouring off-grid lines and columns (following images scaled up by a factor of 2 without interpolation to be better visible):

Sample Captcha Seq. Average of 16 Grid (Line/Col) Avg
sample captcha [2kb] => average with grid [2kb] => grid removed [3kb]

The blurriness in the upper half stems from higher variation in the input images in that part of the image.

The rightmost image is no particular hard task for an OCR system given the nearly uniform gray background which is easily subtracted. In fact, after removal of the black border (and no further postprocessing; image size 79x18px), the free online OCR engine SimpleOCR correctly converted the above image into "197846".

To make the point, here are some more examples; the image in the center column is the one fed into the OCR engine (average of 16 captchas, then grid removal as pointed out above; the image sent to the OCR service is 79x18px, the images presented below are scaled up by a factor of 2 without interpolation for clarity).

Sample Captcha Average of 16 - Grid OCR
sample captcha [2kb] => grid and frame removed [2kb] => 613891
sample captcha [2kb] => grid and frame removed [2kb] => 542136
sample captcha [2kb] => grid and frame removed [2kb] => 077472

Failure rate: No attempt was made to estimate the failure rate. A total of 4 tests (presented above) was performed and none of them failed.

Countermeasurements

The presented averaging method can easily be defended against:

  • Do not allow the extraction of a series of different captcha images with same content. Instead, only change the distortion when the content changes.
  • Do not produce images with noise-like distortions. For example, moving and rotaing individual letters by a large enough distance/angle will spoil averaging by reducing the contrast in averaged images.

[home] [site map] [Impressum] [Datenschutz/privacy policy]
Valid HTML 4.01!
Copyright © 2007 by Wolfgang Wieser
Last modified: 2007-04-04 01:14:20