back to article Animated CAPTCHA tech aims to fox spambots

Replacing text puzzles featuring distorted letters with videos as a roadblock against the automated creation of web accounts can reduce user frustration while offering improved security, according to a Canadian start-up. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have been used for …

COMMENTS

This topic is closed for new posts.
  1. Marky W
    FAIL

    Audio option failage

    I checked that out: a voice repeats the required string over and over again, linked by the term "once again".

    Now admittedly this is not my field, but that sounds trivially easy to defeat after you've got a record of all possible characters being spoken.

  2. Toby Rose
    Welcome

    Whatever happened to the kittens?

    A couple of years ago the folk at b3ta used kittens in CAPTCHAs; the bot or human had to distinguish the kitten from the other life form/object. Has anyone adopted their approach? Seems a lot cheaper than animations!

  3. Aaron Em

    Doesn't seem to solve the problem

    That's nifty and everything, but if the problem is that people are using sweatshops full of *people* to circumvent the CAPTCHAs, and the proposed solution is one which would make CAPTCHAs a lot harder for bots but not even a little harder for humans, then I think I see a slight problem with the whole idea.

  4. Lionel Baden
    Joke

    Wont somebody think of the children !!!

    Like the captchas we have now with the odd rude word

    Does that mean we might get the odd raunchy video :D

  5. N2 Silver badge

    Just when I was thinking

    Those squiggly words could never be read by humans at all...

  6. asdfafas

    Fail! Looks trivially easy to break.

    This looks like an extremely poor captcha.

    You can easily strip out everything (animated background, extra characters) except the characters you want just by filtering on the color red! Oops!

    The text also follows the exact same path each time meaning there are are a couple of predictable places where the red text is actually almost aligned normally. It even uses a constant font!

    I don't know for sure but I doubt you even need to OCR this.. if you can attach some kind of flash debugger (run it under a modified gnash?) to the animation as it's running you can proabably just hook into the function that draws red text!

    1. Anonymous Coward
      Anonymous Coward

      perhaps

      This assumes that computers are significantly cheaper to use than humans.

      Forcing the cracking of captchas onto human based methods increases the underlying cost to the spammer.

      If this added cost makes the spamming less profitable, then it might reduce either the number of spammers already active or act as a barrier to new entrants.

    2. richard 7

      KittenAuth!

      Been kicking around for ages. Uses Llamas and alsorts now.

      I can think of at least two ways to break it unless each pic was randomly generated and you have a bottemless collection of pictures.

    3. Anonymous Bastard
      FAIL

      Also defeatable

      The problem is any image based CAPTCHA will have a finite library to draw from which can be learnt once.

      The example I saw had flickr images drawn from a keyword like "kitten" or "cute", in theory increasing the image pool continuously. However it takes next to no effort to build a list in advance with the same keyword search.

      Furthermore it asked you pick 3 out of a 3x3 grid of assorted animals. There is a 1.2% chance of correctly guessing at random. In comparison a regular 8-character, alphanumeric text is only 0.000000000035% guessable.

      Although image recognition is harder to write than OCR the underlying security was much, much worse.

      Finally the competition was Re-CAPTCHA which is not only less-intrusive to a site's layout but also serves a dual-purpose, the kitten-cha never stood a chance.

      1. OffBeatMammal

        Asirra

        Asirra - http://blog.offbeatmammal.com/post/2007/03/08/Kittens-and-Puppies-making-the-web-safer.aspx - sadly has a pretty bottomless collection of images as they source them from petfinder

        I've not heard of anyone breaking through this one in an automated way

        1. Anonymous Coward
          FAIL

          Asirra is cracked

          http://crypto.stanford.edu/~pgolle/papers/dogcat.html

          Philippe Golle from Stanford University wrote a system that is 82.7% accurate at telling apart images of cats and dogs used in Asirra.

          This is probably why Microsoft no longer uses Asirra.

      2. Ammaross Danan
        FAIL

        ReCAPTCHA

        Re-CAPTCHA fails in that it provides one OCRable word (can be read by computers) and one non-OCRable word, and only truly validates the OCRable word. The other word can be "guessed" and most likely make it past, since the nonOCRable word is unknown. If they cycle "correctly guessed" nonOCRable words through the system, you may have to make your OCR software a bit better, but Re-CAPTCHA's goal is to "translate" the non-identified words, so more often than not, it will assume you guessed correctly.

        Fail.

    4. Annihilator
      FAIL

      re: Doesn't seem to solve the problem - but it slows it down

      The sweatshops of people will have their productivity hampered (or so goes the theory) as the red text doesn't appear immediately. So say it takes a second to "solve" a normal CAPTCHA, it now takes 2 seconds including scrolling time.

      There's still a flaw in that they can quite easily just introduce an assembly-line style to the operation in the sweatshop. i.e. if it's a consistent delay. Even if it's not a consistent delay, just show multiple ones on screen that can be solved when ready.

      The fail is aiming at the idea, not anyone's post :-)

    5. Anonymous Coward
      Anonymous Coward

      Picture Captcha

      I don't know if KittenAuth is still around, but the folks at Confident Technologies provide a picture recognition captcha that asks the user to click on specific pictures (i.e. something like "Click on the pictures of the dog, the house, and the airplane"). The grid of photos is randomly generated from a dynamic database so they're different every time.

      You can see a demo of it here: http://demo.confidenttechnologies.com/captcha/

    6. JulCam
      Go

      Don't be fooled by Looks

      Here are a few interesting things about NuCaptcha I thought I would share.

      NuCaptcha does not require Flash, nor is it rendered in Flash. It is a video stream. Before it displays, NuCaptcha determines the capabilities of your web browser and displays it in the highest possible format. For most people that’s using Flash with an H.264 video stream. On the low end it uses an animated GIF.

      NuCaptcha also analyses all transactions with a Behavior Analysis System and uses this information to display easy puzzles to legitimate users and progressively more difficult puzzles to people (or bots) attempting to abuse the system.

      The security can also be scaled up by increasing the number of letters or grouping them closer together.

      Here is a great location with a bunch of answers to questions like those posed here:

      http://questions.nucaptcha.com/

      Disclaimer: I work for NuCaptcha

  7. David McMahon
    Unhappy

    I hate Captcha's

    Always takes me three goes to get em' I actually feel I have achieved when getting them right first time!

  8. Joe Blogs
    FAIL

    Well, I think it's very secure.

    When I go to the website and try it, I get the dotted circle for about 2 minutes and then I get the text: "There was a connection error. Please try again later.", which contains zero Red Letters, so I can't get any further. Very secure!!

    And I have tried it a few times....

  9. precisionweb

    NOT SURE ABOUT FOXING CLEVER SPAM BOTS

    Hi

    i love the concept of having animated captcha but having it as a flash movie may be a good way of animating it nicely and adding themes etc...

    However, most developers who are trying to send spam will have knowledge about how to decompile flash movies etc.. or access the flash movie object to retrieve the text that is being loaded / generated within the flash movie which can then be grabbed and then interpreted by the system trying to send the spam and then can also read the session variables generated by the captcha.

    If you made this type of captcha as an animated GIF then it would make the captcha system more secure and harder for the spam bots to crack.

    This is only an opinion and I may be wrong it what i am saying but I have developed a few systems that can read flash movies on the fly to grab information.

  10. Robert Carnegie Silver badge

    The point is that CAPTCHA that a computer -can- defeat is much less effective.

    Something that makes life difficult for a non-US/European CAPTCHA sweatshop worker is a good idea, too. For instance, a special interest messageboard could quiz you on that very interest before allowing unsupervised posting. Peanuts cartoons: "Spell the name of the kid who plays the toy piano. Three attempts." And the question -itself- can appear as a series of video-simulated firework displays, or whatever.

  11. Elmer Phud Silver badge
    Pirate

    New jobs

    With the downturn in major economies I welcome the possibility of new enterprises embracing NUCAPTCHA and creating employment opportunites in the field of 'security' busting.

  12. Cliff

    What's wrong with a server-side imagemap?

    Remember imagemaps? Fallen from favour, but 'click the only circle inside a triangle' or similar tests are easy to parse for a human, damn hard for a computer, and all the processing is server-side for the imagemap.

    Not sure how to make it blindness-proof, but it would cover the bulk of cases quickly, easily and un-OCR-ably

    1. Anonymous Bastard
      Thumb Up

      A big thumbs up.

      I'm a fan of common sense low tech but how about making it a little more difficult? Use ajax to submit the locations so several events are involved. eg. "Click the three triangles in order from shortest to tallest"

  13. Jason Bloomberg Silver badge
    Coat

    Tar Pit

    Put the CAPTCHA on a background of suitably distracting porn and you'll slow the human sweatshops to a crawl.

  14. Keris
    FAIL

    "Type the RED moving letters"

    I get no moving letters at all. I don't enable JavaScript for sites I don't know, and I have image animation turned off in Firefox because I find it very distracting. So there's another chunk of the web I can write off, soon I'll give it up altogether...

    (I also don't have sound hardware on most of the machines I use. I don't want things blaring out noise when I visit a site.)

    1. Anonymous Coward
      Thumb Up

      Yer right

      I don't like all that moaning and groaning either.

  15. Anonymous Coward
    Troll

    solution to captchas security

    solution to "CAPTCHAs" security, just out source them to call center,- all you need is plenty cheap human with near zero education training, and low cost ipad device,

  16. Anonymous Coward
    Unhappy

    I don't go to those web sites

    Most of the time i can't read them anyway, so if i get a captcha and it fails i just abandon the web site and go elsewhere. They start using animations or things that go bump in the night and i'm outta here.

  17. BongoJoe
    Welcome

    Remember when...

    These things used to be useful - they were used to help correct scanned text of historical documents. I have no idea if they do this now and, if not, it's a shame that they don't as I felt that I was contributing something when trying to type in the name of some strange long forgotten Welsh village.

    1. Pablo

      reCAPTCHA

      That was reCAPTCHA. It's still around, except it was bought out by Google, so any warm fuzzy feeling I may have once had about it has evaporated.

  18. heyrick Silver badge
    FAIL

    FAILs in the making?

    This could easily be automated. Two ways:

    1. If the voice annotation is the same voice (like those annoying voicemail systems often sound alike), you need only pattern-match on samples of each letter/digit.

    2. It is an animated GIF with the text to type in a different colour. Well, you need only analyse a few frames of the image to recognise which part is the static background. This can be discarded leaving you with the wobbling text. Of the wobbling text, you can then filter for which parts of it are non-black (in case red is only one of the choices). This will leave you with various frames of wobbling code characters. Run the pattern recognition on a few frames where the text is in the centre of the image area, when you get three or so that return the same result. This is actually remarkably easy. You simply step through the GIF until you find when the characters are most separated. You use this to isolate each character. I did this manually, but it could be done using software fairly easily. Again, using previous frames to notice which bits move relative to others, it shouldn't be too challenging to identify individual characters. I clipped these out manually and passed them as 300dpi TIFFs to my lame scanning OCR software. It could not cope with uneven characters having different angles from each other, but when passed one by one, it returned the code GPA from the image [no link, it's really long!]

    I bet, given this, somebody way smarter than me could throw together some code to break every one of the demo "nu"captchas in an afternoon or two. At least we can say it would be helping to end slave labour...

  19. Jeff 11
    Pirate

    A simpler solution to human sweatshops

    ...would be to make them exorbitantly expensive to download repeatedly, like 1MB per instance. The casual user is inconvenienced slightly, sure, but the bandwidth for the spammers dries up immediately. 1000 drones downloading these at once can't do so productively on any connection you'll find in India.

    The trouble is, we've seen the spammers outsource CAPTCHAs to dupes on porn sites in the past, but if the inconvenience level is increased for repeat offenders, it'll drive down the throughput.

  20. Alan Brown Silver badge

    sweatshops? Or just pornsites?

    Spamgangs have for years been feeding captchas through to front porn websites.

    Never underestimate the dogged determination of a spotty teenager to solve the thing in order to see a bit of T&A.

    It's even cheaper than a sweatshop and the workers don't get peeved.

  21. T0ny
    Black Helicopters

    Marketing Ploy?

    Call me cynical, but the fact that nucaptcha was created by an organization called "Leap Marketing" makes me think that, once they have a large enough user base, advertising will magically find it's way into the background of the MP4 video files the system uses.

  22. Winkypop Silver badge
    FAIL

    Connection error

    Yep, stopped me dead.

  23. Pablo

    Interesting idea, horrible implementation

    Even if it's only another way to stay one step ahead of the bots, I think it's worth exploring. But even as a proof of concept, that implementation was sorely lacking.

    I'm imagining something more like Google's CAPTCHAs, only instead of fixed a distortion, it would use a changing distortion, basically the "underwater" effect you've not doubt seen before (but randomized, obviously). And in this case the individual letters (and optionally a background) would move independently. Done well I think it could very likely be easier for a human while still posing some new challenges to a bot.

    Of course I'm not crazy about adding more flash and just to sites, but this would probably still work okay as an animated gif.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019