Forgot your password?
typodupeerror
Security

CAPTCHA Busted? Company Claims To Have Broken Protection System 141

Posted by samzenpus
from the spell-this dept.
sciencehabit writes "A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. If true, the advance would represent a major breakthrough in artificial intelligence. It would also mean that the internet will have to start looking for a new security system. The problem, however, is that Vicarious has provided little evidence for its claims, though some well-known scientists are behind the work."
This discussion has been archived. No new comments can be posted.

CAPTCHA Busted? Company Claims To Have Broken Protection System

Comments Filter:
  • 90% (Score:5, Insightful)

    by WillgasM (1646719) on Monday October 28, 2013 @11:48AM (#45259141) Homepage
    That's better than my success rate
    • Re:90% (Score:5, Funny)

      by hobarrera (2008506) on Monday October 28, 2013 @11:54AM (#45259221) Homepage

      And that's their undoing.
      Show the user 10 captchas:
      If none match -> It's an old bot
      If some match -> It's human
      It over 90% match -> It's this new algorithm.

      There, solved!

      • Re:90% (Score:5, Insightful)

        by kav2k (1545689) on Monday October 28, 2013 @12:07PM (#45259353)

        More like: if solving is not attempted, it's human.

      • Re:90% (Score:5, Funny)

        by jythie (914043) on Monday October 28, 2013 @12:36PM (#45259705)
        And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^
        • And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

          I once tried submitting a tip on a possible terrorism lead to the FBI's website. Then it put up a CAPTCHA, and that pretty much ended it. I hope he didn't blow up anything important.

      • by wolja (449971)

        And that's their undoing.
        Show the user 10 captchas:
        If none match -> It's an old bot
        If some match -> It's human
        It over 90% match -> It's this new algorithm.

        There, solved!

        If the recaptcha is refreshed twice before being abandoned then that's human.

    • Re:90% (Score:5, Insightful)

      by nospam007 (722110) * on Monday October 28, 2013 @11:59AM (#45259275)

      "That's better than my success rate"

      Same here, but some overdo it with the use. My phone company uses it on the payment page where you have to enter the invoice number and credit card.

      Are they afraid some bot would pay my bills?

      • Re:90% (Score:5, Interesting)

        by heypete (60671) <pete@heypete.com> on Monday October 28, 2013 @12:13PM (#45259437) Homepage

        They probably are worried about bad guys using the payment system in an attempt to verify stolen credit cards by making seemingly-routine purchases that would not seem out of the ordinary and thus would not trip anti-fraud measures.

        A small company I used to work for was abused by credit card thieves in this way, and dealing with the fraudulent charges and the resulting chargeback fees was the top non-salary cost for a few months (exceeding even the colocation costs). The problem existed because they allowed users to create either a free or paid account for the service and, if they selected the paid account, they could enter the card information on the sign-up page. Later, they changed it so users would need to create a free account (which required a captcha) and then upgrade it to a paid account in the account settings. Fraudulent charges dropped to essentially nil after that.

        If the phone company requires only the invoice number and credit card data to pay a bill (rather than having you create an account, log in, and then pay the bill) then it's likely they're dealing with a similar problem.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        They may have had an issue with people scripting that form to test credit card numbers.

        Online payment forms without a limit to the number of tries or a captcha are often used to test a list of CCs to filter out ones that have already been cancelled, reported stolen, were never good to begin with, etc.

  • by Cyfun (667564) on Monday October 28, 2013 @11:49AM (#45259165) Homepage

    I cured cancer, stopped global warming, and found the last missing episodes of Doctor Who.

    Just take my word for it.

  • by Manfre (631065) on Monday October 28, 2013 @11:49AM (#45259167) Homepage Journal

    I wish I could get CAPTCHAs right 90% of the time.

    • by meerling (1487879) on Monday October 28, 2013 @12:06PM (#45259349)
      Agreed. Heck, even those spammers that for years have been collecting databases of solved captchas for their bots do much better at those damn things than I do.
      And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page! Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.
      • by doublebackslash (702979) <doublebackslash@gmail.com> on Monday October 28, 2013 @12:12PM (#45259411)

        That is really lazy work on the programmers part. It is trivial to use AJAX to submit the form and selectively wipe the captcha field whist refreshing the captcha. Thats what I do when we require a captcha for one reason or another.

      • by Anonymous Coward

        May the fleas of 1000 camels infest the crotch of such developers, and may their arms be to short to scratch.

      • by alexgieg (948359) <alexgieg@gmail.com> on Monday October 28, 2013 @12:47PM (#45259873) Homepage

        And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page!

        If there's a button to refresh the captcha I click it once to see what happens. If it reloads only the captcha then I take my time filling the form and when I'm finished click it once again, fill the captcha and submit. If however clicking the captcha reload button reloads the entire page, then notepad, reload page, copy-paste, submit it is.

        These two "algorithms" have allowed me to experience much less pain and frustration than I otherwise would have had.

        • by heypete (60671)

          You might be interested in the Lazarus [getlazarus.com] add-on for various browsers (Firefox, Chrome, and Safari) which automatically saves changes made to forms and allows you to easily recover the contents with the click of the mouse. Very handy.

      • Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

        Just mail them a bootlegged Windows 8 DVD.

  • by Lennie (16154) on Monday October 28, 2013 @11:50AM (#45259179) Homepage

    I'm sorry, but I don't consider CAPTCHA a security system.

    I would say it's an anti-spam system.

    • It's used to authenticate users into financial institutions. I'd call that a security system. It's true, though, that CAPTCHA is used far more often for anti-spam.
    • I would say it's an anti-spam system

      Anti-Human System?

  • Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".

    • by Anonymous Coward

      Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".

      Snort. Captcha isn't a security system, it's an anti-spam system which helps slow down bots. You can achieve the same effect with a simple timer.
      Captcha has been busted for years, all you have to do is have your bot grab the captcha image, and present it to a real human on a different site. Porn places are traditionally the most common, you can have an army of people breaking captcha without even realizing they're doing it.

      The only thing Captcha has really been doing is making it nearly impossible for color

      • If you have 10000 computers trying to hack accounts into 600000 sites, the timers will do nothing. Each computer will make one attempt on each server once every 10 minutes. But the computers as a group will be making 166 attempts per second on each server.
    • That's happened several times. It's an arms race... the current CAPTCHAs you see where there's 2 images to solve, one of which is essentially OCR and the other is an actual scrambled CAPTCHA, is a direct response to the previous versions being solved.

    • Was it batman?
  • by key45 (706152) on Monday October 28, 2013 @12:00PM (#45259289) Journal
    I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.
    • I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

      That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

      t

      • by dj245 (732906)

        I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

        That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

        to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.

        You don't even have to hire people anymore. You can sneak in someone else's captcha onto your web page, then use this real person's entry to submit to the other site.

        Captchas are a pox on mankind. http://www.google.com/recaptcha [google.com] claims that they serve 30 million daily. If each one takes just 6 seconds to complete (this is being pretty generous, especially if the first attempt fails), 50,000 man-hours are spent every day just on this idiotic practice. 5.7 man-years. Every single day. There has to be

    • by Solandri (704621)

      I just re-serve the CAPTCHAs on my own popular porn website. Crowdsourcing for the win.

      FTFY

    • by Mirar (264502)

      Sometimes I think that only one website in the world is generating and captchas, and everyone else is just re-serving the same captchas to each other until some user solves it.

  • Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.
  • by neminem (561346) <neminem@@@gmail...com> on Monday October 28, 2013 @12:05PM (#45259341) Homepage

    This headline makes no sense. CAPTCHA is just a concept, there are hundreds of implementations. I'm sure some of them are crap and only block bots that aren't even trying, some block 100% of bots (and half the humans, too), and most are somewhere in the middle. So what does it mean to "solve CAPTCHA with 90% accuracy?" Does that mean he's tested it on every system out there, and aggregated the results? That would actually be interesting if he has, but more likely he's just tested it on one kinda-crap system that I could probably write a bot in a week to do the same thing.

    It does sound like it's built to be more robust, working with more different types of captchas than perhaps many captcha-busting algorithms, but I doubt it's the first of its kind (maybe it uses a new algorithm, but it's still a captcha-buster, that's not new.)

  • by Anonymous Coward on Monday October 28, 2013 @12:06PM (#45259343)

    Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.

  • Security to who? More like an annoyance

    • by slim (1652) <`ten.puntrah' `ta' `nhoj'> on Monday October 28, 2013 @12:14PM (#45259445) Homepage

      Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

      When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

      When it's used to discourage spam, well, it's on the edge of the fuzzy area most people understand by "security". It's protecting the availability of a service, against the threat of spam making it unusable.

      • by wagnerrp (1305589)

        When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

        Rate limiting protects against brute force password attacks, not CAPTCHAs.

        • by TheCarp (96830)

          If the bot can't fill out the captcha correctly then the captcha ends up being one bitchin rate limit. They get a blazing 0 responses per second!

          • by wagnerrp (1305589)
            If the bot can figure out the captcha correctly even one percent of the time, then it no longer functions as a rate limiter. Without a proper limiter, they just keep retrying with no consequence until they hit something.
            • by fatphil (181876)
              But even *with* a proper limiter (the true scotsman falacy, you didn't get away with it), they still just keep retrying with no consequence until they hit something.

              And what else do you call the process of probabilitically limitting the rate at which information-yielding password tests can be performed?
        • How do you rate limit a botnet?
        • by slim (1652)

          Both rate-limiting and captchas protect against brute force password attacks.

          Whether you need both (or either) is up for discussion, and probably depends on your application.

      • by Anonymous Coward

        Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

        The difference is that passwords and keyfobs are security measures that are entirely under one's control. You know exactly what your password is and where your keyfob is, or if you can't remember it's your own fault.

        Captcha is different, you have to re-type random text that is purposely presented in a manner to induce mistakes. Is it a "t" or an "I" with a bar going across it? Half the time one has to make a guess for the correct answer, and that's what makes them annoying. With passwords and keyfobs no gue

  • From the video, I think they used mathematical optimization. Multiobjective vectorial optimization if I had to guess. The big breakthrough here is that instead of OCR'ing the image they tried to rerun the captcha construction algorithm controlling the random choices the algorithm makes. Each choice is a variable here. Them you implement a function that measures how close this variables get to the CAPTCHA image. Now you use optimization to get to the global minimum of this function.

    At least that is how I wou

    • by Hentes (2461350)

      Interesting idea. I guess you are right in that given enough time, most captchas could be "bruteforced" with a high accuracy. But that wouldn't be a practical way of braking them.

  • So we've got OCR nailed. What NP-hard problem do we dupe the spammers into solving for us next? Can we throw halting problem at them, or should we work up to it with traveling salesman first?
    • Re: (Score:3, Interesting)

      by stewsters (1406737)
      Obligatory [xkcd.com]
      • by Akzo (1079039)
        I don't understand that comic, if users are viewing and being asked to rate the spam posts isn't it mission accomplished for the spammers?
        • If by "mission accomplished" you mean that the spammer gets his post through - yes. However, it's hard to monetize that success when the requirement for said message getting through is that it's usefully informative or otherwise helpful to the human readers of the forum.

          Ultimately, if such a thing happens (I personally foresee anti-CAPTCHA technology evolving into the first proper AI somehow), it will be more of a win for the human users than the spammers. Signal:Noise ratio is the main problem holding back

  • Semantic capthas? (Score:4, Interesting)

    by davidwr (791652) on Monday October 28, 2013 @12:17PM (#45259481) Homepage Journal

    [imagine this as a captcha graphic]
    Spell last month.

    Or this:
    [image]
    Type the one that flies:
    England Turkey Russia

    Or this:
    [image]
    Type the word for
    2 + number of days in a week

    Or just to confuse things, split the "challenge" into code + html:
    [image]
    2 + number of days in a week
    [html] What is the number above minus 4, as a word: ___

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      How do you generate these captchas automatically? Otherwise it's too expensive as you are not able to reuse any of them, or the spammers build a database.

    • by cdrudge (68377)

      Spell last month.

      l-a-s-t m-o-n-t-h

      Type the one that flies:
      England Turkey Russia

      They can all fly (provided they make it through TSA screening)

      Type the word for
      2 + number of days in a week

      t-h-e w-o-r-d...nevermind. Already used that.

      This one would be trivial to beat if they have already solve the distorted image captcha.

      2 + number of days in a week
      [html] What is the number above minus 4, as a word: ___

      negative two (yeah I know, it's two words)

      • by davidwr (791652)

        Type the one that flies:
                England Turkey Russia

        They can all fly (provided they make it through TSA screening)

        Ever tried getting a country the size of England into checked baggage much less carry-on?

        And Russia? Forgettaboutit.

        Turkey on the other hand can fly in checked baggage with cat and dog. Or maybe outside plane with Moose and Squirrel but only at low altitude. But I digress.

    • by Anonymous Coward on Monday October 28, 2013 @01:51PM (#45260621)

      Or this:
      [image]
      Type the one that flies:
      England Turkey Russia

      "As God as my witness, I thought turkeys could fly"

    • by Hentes (2461350)

      The problem with semantic captchas is that if they can be generated and checked by a machine, they can also be solved by one.

    • by Mirar (264502)

      I'm afraid you think too highly of the average user.

      Then again, if you are running say a forum, you might want to do this kind of tests on the users. ;)

  • by Anonymous Coward on Monday October 28, 2013 @12:24PM (#45259547)

    The summary suggests this marks an advancement in AI, but it depends on what AI means. There are generally two areas of AI: 1) artificial "thinking" , and 2) Using advanced algorithms to get things done. Most people think about #1 when you say AI, however solving captcha is just an example of #2. I would argue that #2 really isn't "AI" at all. In fact, all advancements in "AI" are of type #2. Attempts at #1, thus far, have been absolute failures.

    • by ledow (319597)

      99% of everything reported as "AI" is actually just heuristics (advanced algorithms designed - usually by humans but sometime by random "guesses" like genetic algorithms - to achieve a particular task).

      That's when whenever I hear about "AI" taking over, I have to laugh. We're still dicking about with the algorithmic equivalent of flapping our arms faster in order to fly.

      • by lgw (121541)

        Everything that researches in the 1960s called "AI" we now have. I believe it was Minsky who said "AI is whatever computers can't do yet". Human intelligence is just a bunch of heuristics, for the most part: we're not so special.

    • We haven't even figured out whether #1 and #2 are actually different yet...

    • by Alejux (2800513)
      Just because something is not a sentient general intelligence or something related to higher thinking, doesn't mean it's not AI. This algorithm works much of the same way we do when trying to identify visual patterns. It uses much more finesse and way less computing power than some of the previous attempts to do the same thing. To say that this is not an advancement in AI is wrong. This whole assumption that the same modules responsible for the higher level thinking needs to responsible for all the ot
    • by fatphil (181876)
      The article says:
      """
      Creating machines that can see the world and make sense of images as humans do is one of the &#226;&#8364;oehard problems&#226;&#8364; in artificial intelligence. Breaking CAPTCHA is a milestone on that road&#226;&#8364;"if Vicarious has pulled it off.
      """

      Prior cutting-edge research demonstrated:
      OCR on images of text that have had some distortions and noise added.

      Their video showed:
      OCR on images of text that have had some distortions and noise added.

      Not really seei
    • Why is #2 not "AI"? #2 has been considered AI since the beginning of AI. Are you saying we need to change the name of #2 to something else? Why?

      #1 has not been a complete failure because #1 and #2 are related. What is "thinking"? It's true that we aren't close to an artificial intelligence passing the Turing test, but we are getting closer every day.

      You could say that every day before 2008 was a complete failure in regards towards quantum computing, and every day afterwards a success. Or you could loo

  • by mlts (1038732) * on Monday October 28, 2013 @12:25PM (#45259561)

    I sort of hope that the CAPTCHA-busting code is just vapor, and it doesn't get released.

    If it does come out and get into widespread use, what will likely result are websites likely going another step up the chain and doing more annoying stuff such as requiring access through Facebook, demanding a phone number for SMS authentication (of course, said number ends up getting sold to robodialers), or more intrusive means.

    I see some CAPTCHA replacement schemes like counting how many cat butts are facing a person in a row of six photos and inputting the number, but those seem at best a stopgap measure, and block out access to the site to the blind.

  • I wonder if the turning test is: does the subject attempt to solve something too obscure or does in spin for another puzzle. Failing on the poorly made ones instead of rejecting them and going on to the next might show which is a human and which is a machine.
  • Does Download.com have it yet? I need a program like this to help me figure those freaky, wormy wordnumbers out.
  • by Animats (122034) on Monday October 28, 2013 @01:05PM (#45260083) Homepage

    If you read Black Hat World, you find that CAPTCHAs are a solved problem for spammers and fake account creators. The better systems run them through several OCR programs in parallel. [youtube.com] That knocks off about 67% of them. There's a lot of special casing involved, but from the spammer's viewpoint, this is a solved problem. Getting from 67% to 90% would be convenient, but humans aren't at 90%. If all the OCR programs give up, the problem is sent to an outsourced service where low-wage people solve CAPTCHAs all day.

    The Black Hat forum system itself makes users play and win a short video game to lock out 'bots.

  • First reliable text recognition software developed!
  • If you found the article worthless, you pass. If you found the dancing letters in the video entertaining, you also pass.

  • Guardian article from 2008 called 'Captcha is broken, now what?', which in turn references a Captcha-breaking algorithm that was created in 2005, "and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability."

    http://www.theguardian.com/technology/2008/aug/28/internet.captcha [theguardian.com]

  • by tlambert (566799) on Monday October 28, 2013 @01:44PM (#45260547)

    Alternately... use the alternative audio and run speech recognition on it to solve the captcha.

    No one thinks outside the box any more...

  • Artificial Intelligence now exceeds human capability.

  • Most captchas were cracked 17 months ago.
    It's time for something that's easier for humans and harder for computers. For example, these images have been tweaked such that the standard routines don't work:

    https://bettercgi.com/sb5/ [bettercgi.com]

  • There's a new system on the way called BORE - Back Orifice Recognition Engine. They claim no two are alike. A seat is included with the system.
  • Spammers, and bots seem to have broken it sometime ago, is this something new?
  • If you think about it.. what we are asking is... show us something you can do that a computer cant do..through a computer. Mildly mind boggling logic puzzle there.
  • Recaptcha from google has been broken for awhile. I had it implemented on my site and got about a dozen spam sign-ups a day.

    The moment I switched to a local "mycaptcha", which should have been easier to OCR, they stopped dead.

Swap read error. You lose your mind.

Working...