Slashdot Mirror

← Back to Stories (view on slashdot.org)

Audio CAPTCHAs Cracked; ReCAPTCHA Remains Strong

Posted by ryuzaki0 on from the captcha-captcha-chameleon dept.

Falkkin writes "Ars Technica reports that audio CAPTCHAs consisting of only distorted digits or letters can be easy to crack using machine learning techniques. This includes most of the audio CAPTCHAs currently in use on the Web. The reCAPTCHA team has discussed their new audio CAPTCHA, which is resistant to this attack."

7 of 157 comments (clear)

  1. I'm sick fo CATCHA by theaveng · · Score: 5, Interesting

    It was okay at first, but now it's reached the point where it takes me 3 or 4 tries to finally guess the letters.

    It's become more hassle than it's worth. Isn't there a better way to stop bots from getting accounts?

    --
    FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
    1. Re:I'm sick fo CATCHA by LilGuy · · Score: 4, Interesting

      It's almost gotten to the point where it's easier for the bots to guess the letters than for an actual human.

      Reverse captcha?

      --

      You're nothing; like me.
    2. Re:I'm sick fo CATCHA by socsoc · · Score: 5, Interesting

      A method I use is to put an input field with a name like "subject" in a contact form and then hide it via CSS. Then if that field is populated in the form submission, the server side drops the request.

      It isn't the most accessible-friendly method in the world, but once I started doing this, all spam submissions dropped out. It's not foolproof and it's just another step in an arms race, but I agree that CAPTCHAs have gotten out of hand. They are especially confusing to people who are not tech savvy and don't know why they are trying to decipher a spirograph drawing in order to do something simple on your website.

  2. Re:It doesn't matter too much anyway... by flux · · Score: 3, Interesting

    If you can make it to a longer time for a human to crack it, it would increase the costs. Double the time, double the cost.

    But, say, if it now takes 10 seconds to crack a captcha, it would need to take more than an hour to cost $1 per captcha :-).

    I wonder how a web-of-trust system combined with more difficult captchas (more trust -> easier captchas) would work; if a branch of the web is a spammer, it's easier to cut off.. But, this must've been suggested even in this context already, so hit me with the "your spam protection idea doesn't work, because.." form ;-).

  3. REPATCHA strong? by RiotingPacifist · · Score: 3, Interesting

    i thought RECAPATCHA was susceptible, as if enough bots guess the same answer on an image they will make that a valid answer. Does this not work or has nobody bothered?

    --
    IranAir Flight 655 never forget!
    1. Re:REPATCHA strong? by Anonymous Coward · · Score: 5, Interesting

      If you get it wrong, they'll temporarily start sending you captchas in which both words are known. The chances of a bot guessing both words correctly are minuscule.

  4. Re:Back to Old School Methods of Verification by fuzzyfuzzyfungus · · Score: 3, Interesting

    One thing we could do more of(though it is not without risks of its own) would be looking at getting the account as only the first step, rather than the last. For instance, some free webmail service could rate limit new accounts to only X emails/hour, or change an account's rate limit according to how spammy its outgoing messages look(or, within a given service, how often other members mark that account's mail as spam). On forums, you could do the same in response to other user's moderation of posts.

    This would work relatively poorly for high value things like bank accounts (though high value stuff can be handled by more expensive means, like phone confirmation) but it could be quite useful for low value things like webmail accounts. The task of sorting humans from bots on a single computer generated task is getting ever harder, particularly if you need to make a binary yes/no decision on the spot; but giving an account greater or lesser resources according to how human its activity looks is much more tractable. It won't be perfect; but it should reduce the value to spammers of the accounts they do get.