CAPTCHA Busted? Company Claims To Have Broken Protection System

sciencehabit writes "A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. If true, the advance would represent a major breakthrough in artificial intelligence. It would also mean that the internet will have to start looking for a new security system. The problem, however, is that Vicarious has provided little evidence for its claims, though some well-known scientists are behind the work."

Re:90%

[heypete]

They probably are worried about bad guys using the payment system in an attempt to verify stolen credit cards by making seemingly-routine purchases that would not seem out of the ordinary and thus would not trip anti-fraud measures.

A small company I used to work for was abused by credit card thieves in this way, and dealing with the fraudulent charges and the resulting chargeback fees was the top non-salary cost for a few months (exceeding even the colocation costs). The problem existed because they allowed users to create either a free or paid account for the service and, if they selected the paid account, they could enter the card information on the sign-up page. Later, they changed it so users would need to create a free account (which required a captcha) and then upgrade it to a paid account in the account settings. Fraudulent charges dropped to essentially nil after that.

If the phone company requires only the invoice number and credit card data to pay a bill (rather than having you create an account, log in, and then pay the bill) then it's likely they're dealing with a similar problem.

Re:Captcha is a security system?

[slim]

Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

When it's used to discourage spam, well, it's on the edge of the fuzzy area most people understand by "security". It's protecting the availability of a service, against the threat of spam making it unusable.

Re:90%

They may have had an issue with people scripting that form to test credit card numbers.

Online payment forms without a limit to the number of tries or a captcha are often used to test a list of CCs to filter out ones that have already been cancelled, reported stolen, were never good to begin with, etc.

Semantic capthas?

[davidwr]

[imagine this as a captcha graphic]
Spell last month.

Or this:
[image]
Type the one that flies:
England Turkey Russia

Or this:
[image]
Type the word for
2 + number of days in a week

Or just to confuse things, split the "challenge" into code + html:
[image]
2 + number of days in a week
[html] What is the number above minus 4, as a word: ___

Re:Okay, what's next?

[stewsters]

Obligatory

Re:Better than humans

[alexgieg]

And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page!

If there's a button to refresh the captcha I click it once to see what happens. If it reloads only the captcha then I take my time filling the form and when I'm finished click it once again, fill the captcha and submit. If however clicking the captcha reload button reloads the entire page, then notepad, reload page, copy-paste, submit it is.

These two "algorithms" have allowed me to experience much less pain and frustration than I otherwise would have had.