Slashdot Mirror

← Back to Stories (view on slashdot.org)

Audio CAPTCHAs Cracked; ReCAPTCHA Remains Strong

Posted by ryuzaki0 on from the captcha-captcha-chameleon dept.

Falkkin writes "Ars Technica reports that audio CAPTCHAs consisting of only distorted digits or letters can be easy to crack using machine learning techniques. This includes most of the audio CAPTCHAs currently in use on the Web. The reCAPTCHA team has discussed their new audio CAPTCHA, which is resistant to this attack."

12 of 157 comments (clear)

  1. I'm sick fo CATCHA by theaveng · · Score: 5, Interesting

    It was okay at first, but now it's reached the point where it takes me 3 or 4 tries to finally guess the letters.

    It's become more hassle than it's worth. Isn't there a better way to stop bots from getting accounts?

    --
    FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
    1. Re:I'm sick fo CATCHA by LilGuy · · Score: 4, Interesting

      It's almost gotten to the point where it's easier for the bots to guess the letters than for an actual human.

      Reverse captcha?

      --

      You're nothing; like me.
    2. Re:I'm sick fo CATCHA by socsoc · · Score: 5, Interesting

      A method I use is to put an input field with a name like "subject" in a contact form and then hide it via CSS. Then if that field is populated in the form submission, the server side drops the request.

      It isn't the most accessible-friendly method in the world, but once I started doing this, all spam submissions dropped out. It's not foolproof and it's just another step in an arms race, but I agree that CAPTCHAs have gotten out of hand. They are especially confusing to people who are not tech savvy and don't know why they are trying to decipher a spirograph drawing in order to do something simple on your website.

    3. Re:I'm sick fo CATCHA by lysergic.acid · · Score: 2, Interesting

      meh... i haven't haven't had that hard of a time with CAPTCHAs. occasionally i might get one wrong and have to spend an extra 2-3 seconds to fill out another one, but i think properly implemented CAPTCHAs are still the most effective means of reducing spam submissions/sign-ups.

      i don't think any kind of CAPTCHA will be completely fool-proof, and their effectiveness will inevitably drop over time. but even still they stop 99% of all attacks by blocking all but the smartest AI algorithms and spammers. and the reCAPTCHA method makes the most sense. they're taking problems that have already stumped machine AIs and using it to recover some public benefit from the hordes of botnets out there that would otherwise only be doing harm.

      also, as more and more difficult machine AI problems are employed in common CAPTCHA systems, not only will it push AI development forward, but it will bring us ever closer to the point where spamming is no longer a logical career for the individuals actually smart enough to break such CAPTCHAs. if it takes a PhD in computer science & machine AI to break a standard CAPTCHA, then anyone with the ability to develop effective spambots would have much more interesting, or even lucrative, careers available to them.

      short of this, the only way i see of attacking the spam problem is to go after the companies that hire spammers to advertise their products. the majority of the spam on the web is for products/services produced in the U.S., and these companies often have 800 numbers and accept payment by credit card. they operate out in the open and generally aren't fly by night companies. it's not like spam advertisements are selling black market goods like crystal meth or yellowcake uranium. they're all purportedly "legitimate" registered businesses with traceable bank accounts and public addresses & phone numbers. as long as businesses employing spammers are allowed to operate so brazenly without any legal repercussions, it will continue to be a mainstream practice. however, if you crack down on these scummy businesses then there'll be no money to be made by spammers, and hence no more spam.

    4. Re:I'm sick fo CATCHA by Zebra1024 · · Score: 2, Interesting

      Hmmm - Maybe a good idea for a Firefox add-on. It could "read" the CAPTCHA for you.

  2. Re:It doesn't matter too much anyway... by flux · · Score: 3, Interesting

    If you can make it to a longer time for a human to crack it, it would increase the costs. Double the time, double the cost.

    But, say, if it now takes 10 seconds to crack a captcha, it would need to take more than an hour to cost $1 per captcha :-).

    I wonder how a web-of-trust system combined with more difficult captchas (more trust -> easier captchas) would work; if a branch of the web is a spammer, it's easier to cut off.. But, this must've been suggested even in this context already, so hit me with the "your spam protection idea doesn't work, because.." form ;-).

  3. REPATCHA strong? by RiotingPacifist · · Score: 3, Interesting

    i thought RECAPATCHA was susceptible, as if enough bots guess the same answer on an image they will make that a valid answer. Does this not work or has nobody bothered?

    --
    IranAir Flight 655 never forget!
    1. Re:REPATCHA strong? by Anonymous Coward · · Score: 5, Interesting

      If you get it wrong, they'll temporarily start sending you captchas in which both words are known. The chances of a bot guessing both words correctly are minuscule.

  4. Re:It doesn't matter too much anyway... by poetmatt · · Score: 2, Interesting

    Only until someone finds a way to make cracking the captcha more efficient and suddenly it is back to the original cost to crack the same captcha again. This is what that machine learning is all about.

    Meanwhile, the problem is that this back and forth with captchas is essentially causing programmers who wish to break it, to come up with very complex AI.

    At some point, if the AI is smarter than the person, as mentioned above people won't be able to crack the captcha.

    On this very article the only reason this "captcha has yet to be cracked" is because they just brought it out. Once it gets attention, it'll be cracked like all the rest.

  5. Re:Back to Old School Methods of Verification by fuzzyfuzzyfungus · · Score: 3, Interesting

    One thing we could do more of(though it is not without risks of its own) would be looking at getting the account as only the first step, rather than the last. For instance, some free webmail service could rate limit new accounts to only X emails/hour, or change an account's rate limit according to how spammy its outgoing messages look(or, within a given service, how often other members mark that account's mail as spam). On forums, you could do the same in response to other user's moderation of posts.

    This would work relatively poorly for high value things like bank accounts (though high value stuff can be handled by more expensive means, like phone confirmation) but it could be quite useful for low value things like webmail accounts. The task of sorting humans from bots on a single computer generated task is getting ever harder, particularly if you need to make a binary yes/no decision on the spot; but giving an account greater or lesser resources according to how human its activity looks is much more tractable. It won't be perfect; but it should reduce the value to spammers of the accounts they do get.

  6. Re:Lets go back to human moderation by Progman3K · · Score: 2, Interesting

    And if the posts were held before becoming visible, there wouldn't even have been one.

    The community your are a member of seems to be near this level of completeness.

    Having a few trusted reviewers who read all posts before letting them pass would be the last step.

    People often complain about schemes like this that their messages need to be seen immediately so people can respond immediately but I say having two or three moderators would make the whole process pretty quickly anyway.

    Remember when you used to mail things? THAT took time and the world STILL progressed.

    --
    I don't know the meaning of the word 'don't' - J
  7. CAPTCHA doomed to fail anyway by mcrbids · · Score: 2, Interesting

    Captcha is really security by obscurity. Readily identifiable information is obscured in such a way as the computers (supposedly) can't find it.

    Real security requires a secret. It's as simple as that. So long as the secret can be identified without knowing the secret, your security system is a joke.

    Computers are getting better, faster, smarter, cheaper. Moore's wall gets higher every single year, and soon, it will be routine for computers to match or exceed human intelligence. (It can be argued that they already do, particularly in the case of a certain US President)

    Therefore, anything that relies on human intelligence to "weed out" machine intelligence will eventually fail. Captcha is the testing ground for the passing of the Turing Test!

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.