They tested CAPTCHA against a hacking service specifically designed to break it, but found spammers would be less effective using hacking tools than Amazon's Human Turk – a service that enlists humans who are paid a small fee to perform small tasks that are impossible for computers.
On average, the Image Bypass service succeeded in fooling the test 84 percent of the time, compared to 87 percent success from the Human Turk.
There are so many CAPTCHA hacks available there are clearinghouses that compete on the completeness and low cost of their particular collection.
There are also competing APIs for particularly popular tools, leading services that charge as little as $2 per 1,000 successful fake CAPTCHAs, and debates comparing hackers' favorite services.
CAPTCA is beaten but not broken
Of all the sites they tested, only Google and Recaptcha consistently resisted being cracked, according to the report.
The authors – Elie Bursztein, Matthieu Martin and John C. Mitche – may have broken CAPTCHA and defined ways others could also, but their results with Google and Recaptcha led them to recommend that web sites use CAPTCHA more wisely rather than throwing it out.
Most sites use fairly generic images as CAPTCHA tests, the paper found. The more generic the image – in the length of the segments of text, form and size of the characters presented and other elements – the easier a CAPTCHA test is to break.
Using specific techniques to make CAPTCHA images harder for 'bots to decode can make the mini-test far more successful both now and in the future, the paper found.
Variation in design of the image is the key. Specifically successful techniques include varying the length of segments, changing colors within the segments, drawing lines through certain characters, making them appear to collapse or be crushed and changing the whole CAPTCHA character scheme a site uses periodically to confuse 'bots that have already beaten.