Animated CAPTCHA tech aims to fox spambots Replacing text puzzles featuring distorted letters with videos as a roadblock against the automated creation of web accounts can reduce user frustration while offering improved security, according to a Canadian start-up. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have been used for …
The problem is any image based CAPTCHA will have a finite library to draw from which can be learnt once.
The example I saw had flickr images drawn from a keyword like "kitten" or "cute", in theory increasing the image pool continuously. However it takes next to no effort to build a list in advance with the same keyword search.
Furthermore it asked you pick 3 out of a 3x3 grid of assorted animals. There is a 1.2% chance of correctly guessing at random. In comparison a regular 8-character, alphanumeric text is only 0.000000000035% guessable.
Although image recognition is harder to write than OCR the underlying security was much, much worse.
Finally the competition was Re-CAPTCHA which is not only less-intrusive to a site's layout but also serves a dual-purpose, the kitten-cha never stood a chance.
Re-CAPTCHA fails in that it provides one OCRable word (can be read by computers) and one non-OCRable word, and only truly validates the OCRable word. The other word can be "guessed" and most likely make it past, since the nonOCRable word is unknown. If they cycle "correctly guessed" nonOCRable words through the system, you may have to make your OCR software a bit better, but Re-CAPTCHA's goal is to "translate" the non-identified words, so more often than not, it will assume you guessed correctly.
Fail.
I don't know if KittenAuth is still around, but the folks at Confident Technologies provide a picture recognition captcha that asks the user to click on specific pictures (i.e. something like "Click on the pictures of the dog, the house, and the airplane"). The grid of photos is randomly generated from a dynamic database so they're different every time.
You can see a demo of it here: http://demo.confidenttechnologies.com/captcha/
That's nifty and everything, but if the problem is that people are using sweatshops full of *people* to circumvent the CAPTCHAs, and the proposed solution is one which would make CAPTCHAs a lot harder for bots but not even a little harder for humans, then I think I see a slight problem with the whole idea.
This assumes that computers are significantly cheaper to use than humans.
Forcing the cracking of captchas onto human based methods increases the underlying cost to the spammer.
If this added cost makes the spamming less profitable, then it might reduce either the number of spammers already active or act as a barrier to new entrants.
The sweatshops of people will have their productivity hampered (or so goes the theory) as the red text doesn't appear immediately. So say it takes a second to "solve" a normal CAPTCHA, it now takes 2 seconds including scrolling time.
There's still a flaw in that they can quite easily just introduce an assembly-line style to the operation in the sweatshop. i.e. if it's a consistent delay. Even if it's not a consistent delay, just show multiple ones on screen that can be solved when ready.
The fail is aiming at the idea, not anyone's post :-)
This looks like an extremely poor captcha.
You can easily strip out everything (animated background, extra characters) except the characters you want just by filtering on the color red! Oops!
The text also follows the exact same path each time meaning there are are a couple of predictable places where the red text is actually almost aligned normally. It even uses a constant font!
I don't know for sure but I doubt you even need to OCR this.. if you can attach some kind of flash debugger (run it under a modified gnash?) to the animation as it's running you can proabably just hook into the function that draws red text!
Here are a few interesting things about NuCaptcha I thought I would share.
NuCaptcha does not require Flash, nor is it rendered in Flash. It is a video stream. Before it displays, NuCaptcha determines the capabilities of your web browser and displays it in the highest possible format. For most people that’s using Flash with an H.264 video stream. On the low end it uses an animated GIF.
NuCaptcha also analyses all transactions with a Behavior Analysis System and uses this information to display easy puzzles to legitimate users and progressively more difficult puzzles to people (or bots) attempting to abuse the system.
The security can also be scaled up by increasing the number of letters or grouping them closer together.
Here is a great location with a bunch of answers to questions like those posed here:
http://questions.nucaptcha.com/
Disclaimer: I work for NuCaptcha
When I go to the website and try it, I get the dotted circle for about 2 minutes and then I get the text: "There was a connection error. Please try again later.", which contains zero Red Letters, so I can't get any further. Very secure!!
And I have tried it a few times....
Hi
i love the concept of having animated captcha but having it as a flash movie may be a good way of animating it nicely and adding themes etc...
However, most developers who are trying to send spam will have knowledge about how to decompile flash movies etc.. or access the flash movie object to retrieve the text that is being loaded / generated within the flash movie which can then be grabbed and then interpreted by the system trying to send the spam and then can also read the session variables generated by the captcha.
If you made this type of captcha as an animated GIF then it would make the captcha system more secure and harder for the spam bots to crack.
This is only an opinion and I may be wrong it what i am saying but I have developed a few systems that can read flash movies on the fly to grab information.
Something that makes life difficult for a non-US/European CAPTCHA sweatshop worker is a good idea, too. For instance, a special interest messageboard could quiz you on that very interest before allowing unsupervised posting. Peanuts cartoons: "Spell the name of the kid who plays the toy piano. Three attempts." And the question -itself- can appear as a series of video-simulated firework displays, or whatever.
Remember imagemaps? Fallen from favour, but 'click the only circle inside a triangle' or similar tests are easy to parse for a human, damn hard for a computer, and all the processing is server-side for the imagemap.
Not sure how to make it blindness-proof, but it would cover the bulk of cases quickly, easily and un-OCR-ably
I get no moving letters at all. I don't enable JavaScript for sites I don't know, and I have image animation turned off in Firefox because I find it very distracting. So there's another chunk of the web I can write off, soon I'll give it up altogether...
(I also don't have sound hardware on most of the machines I use. I don't want things blaring out noise when I visit a site.)
These things used to be useful - they were used to help correct scanned text of historical documents. I have no idea if they do this now and, if not, it's a shame that they don't as I felt that I was contributing something when trying to type in the name of some strange long forgotten Welsh village.
This could easily be automated. Two ways:
1. If the voice annotation is the same voice (like those annoying voicemail systems often sound alike), you need only pattern-match on samples of each letter/digit.
2. It is an animated GIF with the text to type in a different colour. Well, you need only analyse a few frames of the image to recognise which part is the static background. This can be discarded leaving you with the wobbling text. Of the wobbling text, you can then filter for which parts of it are non-black (in case red is only one of the choices). This will leave you with various frames of wobbling code characters. Run the pattern recognition on a few frames where the text is in the centre of the image area, when you get three or so that return the same result. This is actually remarkably easy. You simply step through the GIF until you find when the characters are most separated. You use this to isolate each character. I did this manually, but it could be done using software fairly easily. Again, using previous frames to notice which bits move relative to others, it shouldn't be too challenging to identify individual characters. I clipped these out manually and passed them as 300dpi TIFFs to my lame scanning OCR software. It could not cope with uneven characters having different angles from each other, but when passed one by one, it returned the code GPA from the image [no link, it's really long!]
I bet, given this, somebody way smarter than me could throw together some code to break every one of the demo "nu"captchas in an afternoon or two. At least we can say it would be helping to end slave labour...
...would be to make them exorbitantly expensive to download repeatedly, like 1MB per instance. The casual user is inconvenienced slightly, sure, but the bandwidth for the spammers dries up immediately. 1000 drones downloading these at once can't do so productively on any connection you'll find in India.
The trouble is, we've seen the spammers outsource CAPTCHAs to dupes on porn sites in the past, but if the inconvenience level is increased for repeat offenders, it'll drive down the throughput.
Even if it's only another way to stay one step ahead of the bots, I think it's worth exploring. But even as a proof of concept, that implementation was sorely lacking.
I'm imagining something more like Google's CAPTCHAs, only instead of fixed a distortion, it would use a changing distortion, basically the "underwater" effect you've not doubt seen before (but randomized, obviously). And in this case the individual letters (and optionally a background) would move independently. Done well I think it could very likely be easier for a human while still posing some new challenges to a bot.
Of course I'm not crazy about adding more flash and just to sites, but this would probably still work okay as an animated gif.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
