This article describes how certain types of captchas (such as the ones used
by a German online-banking site) can be automatically recognized using
software. The attack does not recognize one particular captcha itself but
exploits a design error allowing to average multiple captchas containing
the same information. The result can be recognized by conventional OCR
programs thereby defeating the captcha.
The detailed article (including sample images) is online here:
Website developers can easily defend against this attack by not
allowing the extraction of a series of different captcha images
with same content. Instead, the image should change only when the
text content changes.
Captcha designers can defend agaist averaging attacks by not using
noise-like distortions. For example, moving and rotaing individual
letters by a large enough distance/angle will spoil averaging by
reducing the contrast in averaged images.
Contact: wwieser (at) gmx -dot- de
PLEASE do not CC me when posting to the list; I am subscribed.