Replacing text puzzles featuring distorted letters with videos as a roadblock against the automated creation of web accounts can reduce user frustration while offering improved security, according to a Canadian start-up. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have been used for some …
Fail! Looks trivially easy to break.
This looks like an extremely poor captcha.
You can easily strip out everything (animated background, extra characters) except the characters you want just by filtering on the color red! Oops!
The text also follows the exact same path each time meaning there are are a couple of predictable places where the red text is actually almost aligned normally. It even uses a constant font!
I don't know for sure but I doubt you even need to OCR this.. if you can attach some kind of flash debugger (run it under a modified gnash?) to the animation as it's running you can proabably just hook into the function that draws red text!
Don't be fooled by Looks
Here are a few interesting things about NuCaptcha I thought I would share.
NuCaptcha does not require Flash, nor is it rendered in Flash. It is a video stream. Before it displays, NuCaptcha determines the capabilities of your web browser and displays it in the highest possible format. For most people that’s using Flash with an H.264 video stream. On the low end it uses an animated GIF.
NuCaptcha also analyses all transactions with a Behavior Analysis System and uses this information to display easy puzzles to legitimate users and progressively more difficult puzzles to people (or bots) attempting to abuse the system.
The security can also be scaled up by increasing the number of letters or grouping them closer together.
Here is a great location with a bunch of answers to questions like those posed here:
Disclaimer: I work for NuCaptcha
Doesn't seem to solve the problem
That's nifty and everything, but if the problem is that people are using sweatshops full of *people* to circumvent the CAPTCHAs, and the proposed solution is one which would make CAPTCHAs a lot harder for bots but not even a little harder for humans, then I think I see a slight problem with the whole idea.
This assumes that computers are significantly cheaper to use than humans.
Forcing the cracking of captchas onto human based methods increases the underlying cost to the spammer.
If this added cost makes the spamming less profitable, then it might reduce either the number of spammers already active or act as a barrier to new entrants.
re: Doesn't seem to solve the problem - but it slows it down
The sweatshops of people will have their productivity hampered (or so goes the theory) as the red text doesn't appear immediately. So say it takes a second to "solve" a normal CAPTCHA, it now takes 2 seconds including scrolling time.
There's still a flaw in that they can quite easily just introduce an assembly-line style to the operation in the sweatshop. i.e. if it's a consistent delay. Even if it's not a consistent delay, just show multiple ones on screen that can be solved when ready.
The fail is aiming at the idea, not anyone's post :-)
Just when I was thinking
Those squiggly words could never be read by humans at all...
Whatever happened to the kittens?
A couple of years ago the folk at b3ta used kittens in CAPTCHAs; the bot or human had to distinguish the kitten from the other life form/object. Has anyone adopted their approach? Seems a lot cheaper than animations!
Been kicking around for ages. Uses Llamas and alsorts now.
I can think of at least two ways to break it unless each pic was randomly generated and you have a bottemless collection of pictures.
The problem is any image based CAPTCHA will have a finite library to draw from which can be learnt once.
The example I saw had flickr images drawn from a keyword like "kitten" or "cute", in theory increasing the image pool continuously. However it takes next to no effort to build a list in advance with the same keyword search.
Furthermore it asked you pick 3 out of a 3x3 grid of assorted animals. There is a 1.2% chance of correctly guessing at random. In comparison a regular 8-character, alphanumeric text is only 0.000000000035% guessable.
Although image recognition is harder to write than OCR the underlying security was much, much worse.
Finally the competition was Re-CAPTCHA which is not only less-intrusive to a site's layout but also serves a dual-purpose, the kitten-cha never stood a chance.
Asirra - http://blog.offbeatmammal.com/post/2007/03/08/Kittens-and-Puppies-making-the-web-safer.aspx - sadly has a pretty bottomless collection of images as they source them from petfinder
I've not heard of anyone breaking through this one in an automated way
I don't know if KittenAuth is still around, but the folks at Confident Technologies provide a picture recognition captcha that asks the user to click on specific pictures (i.e. something like "Click on the pictures of the dog, the house, and the airplane"). The grid of photos is randomly generated from a dynamic database so they're different every time.
You can see a demo of it here: http://demo.confidenttechnologies.com/captcha/
Asirra is cracked
Philippe Golle from Stanford University wrote a system that is 82.7% accurate at telling apart images of cats and dogs used in Asirra.
This is probably why Microsoft no longer uses Asirra.
Re-CAPTCHA fails in that it provides one OCRable word (can be read by computers) and one non-OCRable word, and only truly validates the OCRable word. The other word can be "guessed" and most likely make it past, since the nonOCRable word is unknown. If they cycle "correctly guessed" nonOCRable words through the system, you may have to make your OCR software a bit better, but Re-CAPTCHA's goal is to "translate" the non-identified words, so more often than not, it will assume you guessed correctly.
Wont somebody think of the children !!!
Like the captchas we have now with the odd rude word
Does that mean we might get the odd raunchy video :D
Audio option failage
I checked that out: a voice repeats the required string over and over again, linked by the term "once again".
Now admittedly this is not my field, but that sounds trivially easy to defeat after you've got a record of all possible characters being spoken.
I hate Captcha's
Always takes me three goes to get em' I actually feel I have achieved when getting them right first time!
Well, I think it's very secure.
When I go to the website and try it, I get the dotted circle for about 2 minutes and then I get the text: "There was a connection error. Please try again later.", which contains zero Red Letters, so I can't get any further. Very secure!!
And I have tried it a few times....
NOT SURE ABOUT FOXING CLEVER SPAM BOTS
i love the concept of having animated captcha but having it as a flash movie may be a good way of animating it nicely and adding themes etc...
However, most developers who are trying to send spam will have knowledge about how to decompile flash movies etc.. or access the flash movie object to retrieve the text that is being loaded / generated within the flash movie which can then be grabbed and then interpreted by the system trying to send the spam and then can also read the session variables generated by the captcha.
If you made this type of captcha as an animated GIF then it would make the captcha system more secure and harder for the spam bots to crack.
This is only an opinion and I may be wrong it what i am saying but I have developed a few systems that can read flash movies on the fly to grab information.
With the downturn in major economies I welcome the possibility of new enterprises embracing NUCAPTCHA and creating employment opportunites in the field of 'security' busting.
The point is that CAPTCHA that a computer -can- defeat is much less effective.
Something that makes life difficult for a non-US/European CAPTCHA sweatshop worker is a good idea, too. For instance, a special interest messageboard could quiz you on that very interest before allowing unsupervised posting. Peanuts cartoons: "Spell the name of the kid who plays the toy piano. Three attempts." And the question -itself- can appear as a series of video-simulated firework displays, or whatever.
What's wrong with a server-side imagemap?
Remember imagemaps? Fallen from favour, but 'click the only circle inside a triangle' or similar tests are easy to parse for a human, damn hard for a computer, and all the processing is server-side for the imagemap.
Not sure how to make it blindness-proof, but it would cover the bulk of cases quickly, easily and un-OCR-ably
A big thumbs up.
I'm a fan of common sense low tech but how about making it a little more difficult? Use ajax to submit the locations so several events are involved. eg. "Click the three triangles in order from shortest to tallest"
"Type the RED moving letters"
(I also don't have sound hardware on most of the machines I use. I don't want things blaring out noise when I visit a site.)
I don't like all that moaning and groaning either.
Put the CAPTCHA on a background of suitably distracting porn and you'll slow the human sweatshops to a crawl.
solution to captchas security
solution to "CAPTCHAs" security, just out source them to call center,- all you need is plenty cheap human with near zero education training, and low cost ipad device,
I don't go to those web sites
Most of the time i can't read them anyway, so if i get a captcha and it fails i just abandon the web site and go elsewhere. They start using animations or things that go bump in the night and i'm outta here.
These things used to be useful - they were used to help correct scanned text of historical documents. I have no idea if they do this now and, if not, it's a shame that they don't as I felt that I was contributing something when trying to type in the name of some strange long forgotten Welsh village.
That was reCAPTCHA. It's still around, except it was bought out by Google, so any warm fuzzy feeling I may have once had about it has evaporated.
FAILs in the making?
This could easily be automated. Two ways:
1. If the voice annotation is the same voice (like those annoying voicemail systems often sound alike), you need only pattern-match on samples of each letter/digit.
2. It is an animated GIF with the text to type in a different colour. Well, you need only analyse a few frames of the image to recognise which part is the static background. This can be discarded leaving you with the wobbling text. Of the wobbling text, you can then filter for which parts of it are non-black (in case red is only one of the choices). This will leave you with various frames of wobbling code characters. Run the pattern recognition on a few frames where the text is in the centre of the image area, when you get three or so that return the same result. This is actually remarkably easy. You simply step through the GIF until you find when the characters are most separated. You use this to isolate each character. I did this manually, but it could be done using software fairly easily. Again, using previous frames to notice which bits move relative to others, it shouldn't be too challenging to identify individual characters. I clipped these out manually and passed them as 300dpi TIFFs to my lame scanning OCR software. It could not cope with uneven characters having different angles from each other, but when passed one by one, it returned the code GPA from the image [no link, it's really long!]
I bet, given this, somebody way smarter than me could throw together some code to break every one of the demo "nu"captchas in an afternoon or two. At least we can say it would be helping to end slave labour...
A simpler solution to human sweatshops
...would be to make them exorbitantly expensive to download repeatedly, like 1MB per instance. The casual user is inconvenienced slightly, sure, but the bandwidth for the spammers dries up immediately. 1000 drones downloading these at once can't do so productively on any connection you'll find in India.
The trouble is, we've seen the spammers outsource CAPTCHAs to dupes on porn sites in the past, but if the inconvenience level is increased for repeat offenders, it'll drive down the throughput.
sweatshops? Or just pornsites?
Spamgangs have for years been feeding captchas through to front porn websites.
Never underestimate the dogged determination of a spotty teenager to solve the thing in order to see a bit of T&A.
It's even cheaper than a sweatshop and the workers don't get peeved.
Call me cynical, but the fact that nucaptcha was created by an organization called "Leap Marketing" makes me think that, once they have a large enough user base, advertising will magically find it's way into the background of the MP4 video files the system uses.
Yep, stopped me dead.
Interesting idea, horrible implementation
Even if it's only another way to stay one step ahead of the bots, I think it's worth exploring. But even as a proof of concept, that implementation was sorely lacking.
I'm imagining something more like Google's CAPTCHAs, only instead of fixed a distortion, it would use a changing distortion, basically the "underwater" effect you've not doubt seen before (but randomized, obviously). And in this case the individual letters (and optionally a background) would move independently. Done well I think it could very likely be easier for a human while still posing some new challenges to a bot.
Of course I'm not crazy about adding more flash and just to sites, but this would probably still work okay as an animated gif.
- Review Apple takes blade to 13-inch MacBook Pro with Retina display
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Intel's Raspberry Pi rival Galileo can now run Windows
- Microsoft and HTC are M8s again: New One mobe sports WinPhone
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers