CAPTCHA Busted? Company Claims To Have Broken Protection System 141
sciencehabit writes "A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. If true, the advance would represent a major breakthrough in artificial intelligence. It would also mean that the internet will have to start looking for a new security system. The problem, however, is that Vicarious has provided little evidence for its claims, though some well-known scientists are behind the work."
90% (Score:5, Insightful)
Re:90% (Score:5, Funny)
And that's their undoing.
Show the user 10 captchas:
If none match -> It's an old bot
If some match -> It's human
It over 90% match -> It's this new algorithm.
There, solved!
Re:90% (Score:5, Insightful)
More like: if solving is not attempted, it's human.
Re:90% (Score:5, Funny)
Re: (Score:2)
And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^
I once tried submitting a tip on a possible terrorism lead to the FBI's website. Then it put up a CAPTCHA, and that pretty much ended it. I hope he didn't blow up anything important.
Re: (Score:1)
And that's their undoing.
Show the user 10 captchas:
If none match -> It's an old bot
If some match -> It's human
It over 90% match -> It's this new algorithm.
There, solved!
If the recaptcha is refreshed twice before being abandoned then that's human.
Re:90% (Score:5, Insightful)
"That's better than my success rate"
Same here, but some overdo it with the use. My phone company uses it on the payment page where you have to enter the invoice number and credit card.
Are they afraid some bot would pay my bills?
Re:90% (Score:5, Interesting)
They probably are worried about bad guys using the payment system in an attempt to verify stolen credit cards by making seemingly-routine purchases that would not seem out of the ordinary and thus would not trip anti-fraud measures.
A small company I used to work for was abused by credit card thieves in this way, and dealing with the fraudulent charges and the resulting chargeback fees was the top non-salary cost for a few months (exceeding even the colocation costs). The problem existed because they allowed users to create either a free or paid account for the service and, if they selected the paid account, they could enter the card information on the sign-up page. Later, they changed it so users would need to create a free account (which required a captcha) and then upgrade it to a paid account in the account settings. Fraudulent charges dropped to essentially nil after that.
If the phone company requires only the invoice number and credit card data to pay a bill (rather than having you create an account, log in, and then pay the bill) then it's likely they're dealing with a similar problem.
Re: (Score:2)
Re: (Score:2, Interesting)
They may have had an issue with people scripting that form to test credit card numbers.
Online payment forms without a limit to the number of tries or a captcha are often used to test a list of CCs to filter out ones that have already been cancelled, reported stolen, were never good to begin with, etc.
In other news... (Score:5, Funny)
I cured cancer, stopped global warming, and found the last missing episodes of Doctor Who.
Just take my word for it.
Re: In other news... (Score:5, Funny)
Re: (Score:3)
Haven't you ever lost anything? Your purse, your car keys? Well, its rather like that. Now you have it, now you don't.
Sean Connery talking about the cure for cancer in the 1992 flick Medicine Man [imdb.com].
http://www.youtube.com/watch?v=gOQOpuD2b3M [youtube.com]
Better than humans (Score:5, Funny)
I wish I could get CAPTCHAs right 90% of the time.
Re:Better than humans (Score:5, Insightful)
And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page! Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.
Re:Better than humans (Score:4, Informative)
That is really lazy work on the programmers part. It is trivial to use AJAX to submit the form and selectively wipe the captcha field whist refreshing the captcha. Thats what I do when we require a captcha for one reason or another.
Re: (Score:1)
May the fleas of 1000 camels infest the crotch of such developers, and may their arms be to short to scratch.
Re:Better than humans (Score:4, Interesting)
And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page!
If there's a button to refresh the captcha I click it once to see what happens. If it reloads only the captcha then I take my time filling the form and when I'm finished click it once again, fill the captcha and submit. If however clicking the captcha reload button reloads the entire page, then notepad, reload page, copy-paste, submit it is.
These two "algorithms" have allowed me to experience much less pain and frustration than I otherwise would have had.
Re: (Score:2)
You might be interested in the Lazarus [getlazarus.com] add-on for various browsers (Firefox, Chrome, and Safari) which automatically saves changes made to forms and allows you to easily recover the contents with the click of the mouse. Very handy.
Re: (Score:2)
Thanks!
Re: (Score:3)
Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.
Just mail them a bootlegged Windows 8 DVD.
New security system ? (Score:5, Insightful)
I'm sorry, but I don't consider CAPTCHA a security system.
I would say it's an anti-spam system.
Re: (Score:2)
Re: (Score:1)
Have you looked up the meaning of authentication? Wikipedia says
"Authentication (from Greek: ; real or genuine, from authentes; author) is the act of confirming the truth of an attribute of a datum or entity."
How does confirming the attribute of humanity not qualify as authentication?
Re: (Score:2)
How does confirming the attribute of humanity not qualify as authentication?
Because "authentication" is a term of art that specifically means "proving you are the specific person you say you are". Proving that someone is a human is not proving which specific human they are, and so it is not authentication.
Re: (Score:1)
A system or device used to confirm an attribute of a specific entity implies authentication of said entity, not the quality of it being an entity. There is no way a captcha can prove you are who you say you are.
You've assumed (incorrectly) that the only entities capable of requesting use of a web-form are humans.
In reality humans are a subset of the entities capable of requesting services via web-form, and therefore web forms that are for human use only must authenticate all requests as coming from a human and not an entity impersonating a human.
Re: (Score:3)
Re: (Score:2)
Yeah, I agree, a rate limiter on an authentication system is a security feature.
Never seen it being used that way, but it's possible.
Re: (Score:1)
I would say it's an anti-spam system
Anti-Human System?
Years old (Score:1)
Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".
Re: (Score:2)
Re: (Score:2)
Back in 2008 this apparently happened many times [slashdot.org]. I only recalled the one.
Re: (Score:1)
Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".
Snort. Captcha isn't a security system, it's an anti-spam system which helps slow down bots. You can achieve the same effect with a simple timer.
Captcha has been busted for years, all you have to do is have your bot grab the captcha image, and present it to a real human on a different site. Porn places are traditionally the most common, you can have an army of people breaking captcha without even realizing they're doing it.
The only thing Captcha has really been doing is making it nearly impossible for color
Re: (Score:2)
Re: (Score:2)
That's happened several times. It's an arms race... the current CAPTCHAs you see where there's 2 images to solve, one of which is essentially OCR and the other is an actual scrambled CAPTCHA, is a direct response to the previous versions being solved.
Re: (Score:2)
I broke it a long time ago (Score:3, Insightful)
Re: (Score:3)
I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.
That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.
t
Re: (Score:2)
I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.
That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.
to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.
You don't even have to hire people anymore. You can sneak in someone else's captcha onto your web page, then use this real person's entry to submit to the other site.
Captchas are a pox on mankind. http://www.google.com/recaptcha [google.com] claims that they serve 30 million daily. If each one takes just 6 seconds to complete (this is being pretty generous, especially if the first attempt fails), 50,000 man-hours are spent every day just on this idiotic practice. 5.7 man-years. Every single day. There has to be
Re: (Score:2)
FTFY
Re: (Score:1)
Sometimes I think that only one website in the world is generating and captchas, and everyone else is just re-serving the same captchas to each other until some user solves it.
Wish there was some more information (Score:2)
Re:Wish there was some more information (Score:5, Funny)
> Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.
It works just like the "Recursive Cortical Network", look it up.
Re: (Score:2)
If you are able to find more information (specifically about Vicarious's "new computational paradigm"), by all means share it.
CAPTCHA isn't one system... (Score:5, Insightful)
This headline makes no sense. CAPTCHA is just a concept, there are hundreds of implementations. I'm sure some of them are crap and only block bots that aren't even trying, some block 100% of bots (and half the humans, too), and most are somewhere in the middle. So what does it mean to "solve CAPTCHA with 90% accuracy?" Does that mean he's tested it on every system out there, and aggregated the results? That would actually be interesting if he has, but more likely he's just tested it on one kinda-crap system that I could probably write a bot in a week to do the same thing.
It does sound like it's built to be more robust, working with more different types of captchas than perhaps many captcha-busting algorithms, but I doubt it's the first of its kind (maybe it uses a new algorithm, but it's still a captcha-buster, that's not new.)
Reverse CAPTCHA (Score:3, Funny)
Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.
Re: (Score:1)
Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.
AHCTPAC ... amiright?
Captcha is a security system? (Score:2)
Security to who? More like an annoyance
Re:Captcha is a security system? (Score:5, Interesting)
Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.
When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.
When it's used to discourage spam, well, it's on the edge of the fuzzy area most people understand by "security". It's protecting the availability of a service, against the threat of spam making it unusable.
Re: (Score:2)
When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.
Rate limiting protects against brute force password attacks, not CAPTCHAs.
Re: (Score:2)
If the bot can't fill out the captcha correctly then the captcha ends up being one bitchin rate limit. They get a blazing 0 responses per second!
Re: (Score:2)
Re: (Score:2)
And what else do you call the process of probabilitically limitting the rate at which information-yielding password tests can be performed?
Re: (Score:2)
I would have thought so. It also makes me think, maybe you can fuck those guys one better too.
I imagine a system that every 200 failed logins or so saves the password and makes it "valid" for 10 minutes serving up bogus messages that indicate success to anyone using it.
a real user having login trouble is unlikely to ever see it, but a cracker having to hand verify every 200th attempt or so would likely make the task cumbersome.
Re: (Score:2)
Re: (Score:2)
Both rate-limiting and captchas protect against brute force password attacks.
Whether you need both (or either) is up for discussion, and probably depends on your application.
Re: (Score:1)
Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.
The difference is that passwords and keyfobs are security measures that are entirely under one's control. You know exactly what your password is and where your keyfob is, or if you can't remember it's your own fault.
Captcha is different, you have to re-type random text that is purposely presented in a manner to induce mistakes. Is it a "t" or an "I" with a bar going across it? Half the time one has to make a guess for the correct answer, and that's what makes them annoying. With passwords and keyfobs no gue
I believe the results are true (Score:2)
From the video, I think they used mathematical optimization. Multiobjective vectorial optimization if I had to guess. The big breakthrough here is that instead of OCR'ing the image they tried to rerun the captcha construction algorithm controlling the random choices the algorithm makes. Each choice is a variable here. Them you implement a function that measures how close this variables get to the CAPTCHA image. Now you use optimization to get to the global minimum of this function.
At least that is how I wou
Re: (Score:2)
Interesting idea. I guess you are right in that given enough time, most captchas could be "bruteforced" with a high accuracy. But that wouldn't be a practical way of braking them.
Okay, what's next? (Score:1)
Re: (Score:3, Interesting)
Re: (Score:1)
Re: (Score:1)
If by "mission accomplished" you mean that the spammer gets his post through - yes. However, it's hard to monetize that success when the requirement for said message getting through is that it's usefully informative or otherwise helpful to the human readers of the forum.
Ultimately, if such a thing happens (I personally foresee anti-CAPTCHA technology evolving into the first proper AI somehow), it will be more of a win for the human users than the spammers. Signal:Noise ratio is the main problem holding back
Semantic capthas? (Score:4, Interesting)
[imagine this as a captcha graphic]
Spell last month.
Or this:
[image]
Type the one that flies:
England Turkey Russia
Or this:
[image]
Type the word for
2 + number of days in a week
Or just to confuse things, split the "challenge" into code + html:
[image]
2 + number of days in a week
[html] What is the number above minus 4, as a word: ___
Re: (Score:2, Insightful)
How do you generate these captchas automatically? Otherwise it's too expensive as you are not able to reuse any of them, or the spammers build a database.
Re: (Score:3)
l-a-s-t m-o-n-t-h
They can all fly (provided they make it through TSA screening)
t-h-e w-o-r-d...nevermind. Already used that.
This one would be trivial to beat if they have already solve the distorted image captcha.
negative two (yeah I know, it's two words)
Re: (Score:1)
Type the one that flies:
England Turkey Russia
They can all fly (provided they make it through TSA screening)
Ever tried getting a country the size of England into checked baggage much less carry-on?
And Russia? Forgettaboutit.
Turkey on the other hand can fly in checked baggage with cat and dog. Or maybe outside plane with Moose and Squirrel but only at low altitude. But I digress.
Re:Semantic capthas? (Score:4, Funny)
Or this:
[image]
Type the one that flies:
England Turkey Russia
"As God as my witness, I thought turkeys could fly"
Re: (Score:2)
The problem with semantic captchas is that if they can be generated and checked by a machine, they can also be solved by one.
Re: (Score:1)
I'm afraid you think too highly of the average user.
Then again, if you are running say a forum, you might want to do this kind of tests on the users. ;)
This does not mean advancements in AI (Score:3, Insightful)
The summary suggests this marks an advancement in AI, but it depends on what AI means. There are generally two areas of AI: 1) artificial "thinking" , and 2) Using advanced algorithms to get things done. Most people think about #1 when you say AI, however solving captcha is just an example of #2. I would argue that #2 really isn't "AI" at all. In fact, all advancements in "AI" are of type #2. Attempts at #1, thus far, have been absolute failures.
Re: (Score:2)
99% of everything reported as "AI" is actually just heuristics (advanced algorithms designed - usually by humans but sometime by random "guesses" like genetic algorithms - to achieve a particular task).
That's when whenever I hear about "AI" taking over, I have to laugh. We're still dicking about with the algorithmic equivalent of flapping our arms faster in order to fly.
Re: (Score:2)
Everything that researches in the 1960s called "AI" we now have. I believe it was Minsky who said "AI is whatever computers can't do yet". Human intelligence is just a bunch of heuristics, for the most part: we're not so special.
Re: (Score:3)
We haven't even figured out whether #1 and #2 are actually different yet...
Re: (Score:3)
Re: (Score:2)
"""
Creating machines that can see the world and make sense of images as humans do is one of the â€oehard problems†in artificial intelligence. Breaking CAPTCHA is a milestone on that roadâ€"if Vicarious has pulled it off.
"""
Prior cutting-edge research demonstrated:
OCR on images of text that have had some distortions and noise added.
Their video showed:
OCR on images of text that have had some distortions and noise added.
Not really seei
Re: (Score:2)
Why is #2 not "AI"? #2 has been considered AI since the beginning of AI. Are you saying we need to change the name of #2 to something else? Why?
#1 has not been a complete failure because #1 and #2 are related. What is "thinking"? It's true that we aren't close to an artificial intelligence passing the Turing test, but we are getting closer every day.
You could say that every day before 2008 was a complete failure in regards towards quantum computing, and every day afterwards a success. Or you could loo
Wonder what is next... (Score:3)
I sort of hope that the CAPTCHA-busting code is just vapor, and it doesn't get released.
If it does come out and get into widespread use, what will likely result are websites likely going another step up the chain and doing more annoying stuff such as requiring access through Facebook, demanding a phone number for SMS authentication (of course, said number ends up getting sold to robodialers), or more intrusive means.
I see some CAPTCHA replacement schemes like counting how many cat butts are facing a person in a row of six photos and inputting the number, but those seem at best a stopgap measure, and block out access to the site to the blind.
Solve or spin (Score:2)
This is great news! (Score:1)
How the spam industry solves CAPTCHAS now (Score:3)
If you read Black Hat World, you find that CAPTCHAs are a solved problem for spammers and fake account creators. The better systems run them through several OCR programs in parallel. [youtube.com] That knocks off about 67% of them. There's a lot of special casing involved, but from the spammer's viewpoint, this is a solved problem. Getting from 67% to 90% would be convenient, but humans aren't at 90%. If all the OCR programs give up, the problem is sent to an outsourced service where low-wage people solve CAPTCHAs all day.
The Black Hat forum system itself makes users play and win a short video game to lock out 'bots.
In other news... (Score:2)
Obligatory XKCD (Score:2)
A meta-captcha (Score:1)
If you found the article worthless, you pass. If you found the dancing letters in the video entertaining, you also pass.
Sorry, but this is not new news (Score:2)
Guardian article from 2008 called 'Captcha is broken, now what?', which in turn references a Captcha-breaking algorithm that was created in 2005, "and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability."
http://www.theguardian.com/technology/2008/aug/28/internet.captcha [theguardian.com]
Alternately... (Score:3)
Alternately... use the alternative audio and run speech recognition on it to solve the captcha.
No one thinks outside the box any more...
Re: (Score:2)
The alt audio I've tried had so much background noise I couldn't figure out what it was saying... Speech recognition would probably do better than me if it applied noise reduction filters first.
Re: (Score:2)
It has been done many times.
There are countless articles and news on the subject, like this one : http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/ [arstechnica.com]
It's the Singularity! (Score:1)
Artificial Intelligence now exceeds human capability.
old news by 17 months. crack this (Score:2)
Most captchas were cracked 17 months ago.
It's time for something that's easier for humans and harder for computers. For example, these images have been tweaked such that the standard routines don't work:
https://bettercgi.com/sb5/ [bettercgi.com]
New algorithm to replace CAPTCHA (Score:2)
I thought it was already broken (Score:1)
Interesting Problem Actually.. (Score:2)
Recaptcha already broken (Score:2)
Recaptcha from google has been broken for awhile. I had it implemented on my site and got about a dozen spam sign-ups a day.
The moment I switched to a local "mycaptcha", which should have been easier to OCR, they stopped dead.