Visual CAPTCHAs have been widely used across the Internet to defend against undesirable or malicious bot programs. In this paper, we document how we have broken most such visual schemes provided at Captchaservice.org, a publicly available web service for CAPTCHA generation. These schemes were effectively resistant to attacks conducted using a high-quality Optical Character Recognition program, but were broken with a near 100% success rate by our novel attacks. In contrast to early work that relied on sophisticated computer vision or machine learning algorithms, we used simple pattern recognition algorithms but exploited fatal design errors that we discovered in each scheme. Surprisingly, our simple attacks can also break many other schemes deployed on the Internet at the time of writing: their design had similar errors. We also discuss defence against our attacks and new insights on the design of visual CAPTCHA schemes. 1 The term of "Breaking CAPTCHA" is ambiguous. For example, when CAPTCHA is interpreted as a simple challenge-response protocol, "breaking CAPTCHA" can mean breaking the protocol, e.g. via a man-in-the middle or an oracle attack. In this paper, "breaking CAPTCHA" means to write a computer program that automatically solves CAPTCHA challenges-ideally, this task should be as hard as solving the underlying AI problem. ("Breaking CAPCHA", "breaking a CAPTCHA protocol", and "Defeating CAPTCHA based bot defence" are three different but related notions, as clarified in [ 15].
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.