Abstract

This paper reports novel, low-cost attacks on two Yahoo CAPTCHAs - one of them had been deployed until very recently, and the other is still in active use for protecting Yahoo’s global email services. Both schemes are designed to be segmentation resistant - the state of the art suggests that such schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. Our attack achieved a segmentation success rate of around 77% on the first Yahoo scheme. As a result, we estimate that this scheme could be broken with an overall (segmentation and then recognition) success rate of about 60%. This is to date the most successful attack on the scheme. The second Yahoo scheme introduces enhanced security features, and has replaced the first scheme since March 2008. We identified for the first time a side channel attack, which aided us to achieve a segmentation success rate of around 33.4% on the second Yahoo scheme. As a result, we estimate that this scheme could be broken with an overall success rate of about 25.9%. Our results show that spammers never had to employ cheap human labour to pass Yahoo CAPTCHAs. Rather, they could rely on low-cost automated attacks.

Keywords

CAPTCHA, Internet security, usability, Yahoo .