CAPTCHA Busted? Company Claims To Have Broken Protection System

sciencehabit writes "A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. If true, the advance would represent a major breakthrough in artificial intelligence. It would also mean that the internet will have to start looking for a new security system. The problem, however, is that Vicarious has provided little evidence for its claims, though some well-known scientists are behind the work."

90%

[WillgasM]

That's better than my success rate

Re:90%

[hobarrera]

And that's their undoing.
Show the user 10 captchas:
If none match -> It's an old bot
If some match -> It's human
It over 90% match -> It's this new algorithm.

There, solved!

Re:90%

[nospam007]

"That's better than my success rate"

Same here, but some overdo it with the use. My phone company uses it on the payment page where you have to enter the invoice number and credit card.

Are they afraid some bot would pay my bills?

Re:90%

[kav2k]

More like: if solving is not attempted, it's human.

Re:90%

[heypete]

They probably are worried about bad guys using the payment system in an attempt to verify stolen credit cards by making seemingly-routine purchases that would not seem out of the ordinary and thus would not trip anti-fraud measures.

A small company I used to work for was abused by credit card thieves in this way, and dealing with the fraudulent charges and the resulting chargeback fees was the top non-salary cost for a few months (exceeding even the colocation costs). The problem existed because they allowed users to create either a free or paid account for the service and, if they selected the paid account, they could enter the card information on the sign-up page. Later, they changed it so users would need to create a free account (which required a captcha) and then upgrade it to a paid account in the account settings. Fraudulent charges dropped to essentially nil after that.

If the phone company requires only the invoice number and credit card data to pay a bill (rather than having you create an account, log in, and then pay the bill) then it's likely they're dealing with a similar problem.

Re:90%

They may have had an issue with people scripting that form to test credit card numbers.

Online payment forms without a limit to the number of tries or a captcha are often used to test a list of CCs to filter out ones that have already been cancelled, reported stolen, were never good to begin with, etc.

Re:90%

[jythie]

And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

Re:90%

[interval1066]

They should at least provide a demo, which they'll be doing soon, I hope.

Re:90%

[girlintraining]

And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

I once tried submitting a tip on a possible terrorism lead to the FBI's website. Then it put up a CAPTCHA, and that pretty much ended it. I hope he didn't blow up anything important.

Re:90%

[wolja]

And that's their undoing.
Show the user 10 captchas:
If none match -> It's an old bot
If some match -> It's human
It over 90% match -> It's this new algorithm.

There, solved!

If the recaptcha is refreshed twice before being abandoned then that's human.

In other news...

[Cyfun]

I cured cancer, stopped global warming, and found the last missing episodes of Doctor Who.

Just take my word for it.

Re: In other news...

[jd2112]

I'll take your word for most of those but I need video proof of the lost Dr .Who episodes.

Re:In other news...

[chill]

Haven't you ever lost anything? Your purse, your car keys? Well, its rather like that. Now you have it, now you don't.

Sean Connery talking about the cure for cancer in the 1992 flick Medicine Man.

http://www.youtube.com/watch?v=gOQOpuD2b3M

Better than humans

[Manfre]

I wish I could get CAPTCHAs right 90% of the time.

Re:Better than humans

[meerling]

Agreed. Heck, even those spammers that for years have been collecting databases of solved captchas for their bots do much better at those damn things than I do.
And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page! Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

Re:Better than humans

[doublebackslash]

That is really lazy work on the programmers part. It is trivial to use AJAX to submit the form and selectively wipe the captcha field whist refreshing the captcha. Thats what I do when we require a captcha for one reason or another.

Re:Better than humans

May the fleas of 1000 camels infest the crotch of such developers, and may their arms be to short to scratch.

Re:Better than humans

[alexgieg]

And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page!

If there's a button to refresh the captcha I click it once to see what happens. If it reloads only the captcha then I take my time filling the form and when I'm finished click it once again, fill the captcha and submit. If however clicking the captcha reload button reloads the entire page, then notepad, reload page, copy-paste, submit it is.

These two "algorithms" have allowed me to experience much less pain and frustration than I otherwise would have had.

Re:Better than humans

[heypete]

You might be interested in the Lazarus add-on for various browsers (Firefox, Chrome, and Safari) which automatically saves changes made to forms and allows you to easily recover the contents with the click of the mouse. Very handy.

Re:Better than humans

[Savage-Rabbit]

Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

Just mail them a bootlegged Windows 8 DVD.

Re:Better than humans

[alexgieg]

Thanks!

New security system ?

[Lennie]

I'm sorry, but I don't consider CAPTCHA a security system.

I would say it's an anti-spam system.

Re:New security system ?

[Infiniti2000]

It's used to authenticate users into financial institutions. I'd call that a security system. It's true, though, that CAPTCHA is used far more often for anti-spam.

Re:New security system ?

Have you looked up the meaning of authentication? Wikipedia says
"Authentication (from Greek: ; real or genuine, from authentes; author) is the act of confirming the truth of an attribute of a datum or entity."

How does confirming the attribute of humanity not qualify as authentication?

Re:New security system ?

[wagnerrp]

No it doesn't. Putting rate limiters and account lockouts in place limits the frequency in which information can be submitted for authentication. All a CAPTCHA does is increase the cost of a brute force attack.

Re:New security system ?

A system or device used to confirm an attribute of a specific entity implies authentication of said entity, not the quality of it being an entity. There is no way a captcha can prove you are who you say you are.

You've assumed (incorrectly) that the only entities capable of requesting use of a web-form are humans.

In reality humans are a subset of the entities capable of requesting services via web-form, and therefore web forms that are for human use only must authenticate all requests as coming from a human and not an entity impersonating a human.

Re:New security system ?

[JohnFen]

How does confirming the attribute of humanity not qualify as authentication?

Because "authentication" is a term of art that specifically means "proving you are the specific person you say you are". Proving that someone is a human is not proving which specific human they are, and so it is not authentication.

Re:New security system ?

[Lennie]

Yeah, I agree, a rate limiter on an authentication system is a security feature.

Never seen it being used that way, but it's possible.

Re:New security system ?

[danknight48]

I would say it's an anti-spam system

Anti-Human System?

I broke it a long time ago

[key45]

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

Re:I broke it a long time ago

[Registered+Coward+v2]

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.

Re:I broke it a long time ago

[Solandri]

I just re-serve the CAPTCHAs on my own popular porn website. Crowdsourcing for the win.

FTFY

Re:I broke it a long time ago

[dj245]

I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.

You don't even have to hire people anymore. You can sneak in someone else's captcha onto your web page, then use this real person's entry to submit to the other site.

Captchas are a pox on mankind. http://www.google.com/recaptcha claims that they serve 30 million daily. If each one takes just 6 seconds to complete (this is being pretty generous, especially if the first attempt fails), 50,000 man-hours are spent every day just on this idiotic practice. 5.7 man-years. Every single day. There has to be a better way.

Re:I broke it a long time ago

[Mirar]

Sometimes I think that only one website in the world is generating and captchas, and everyone else is just re-serving the same captchas to each other until some user solves it.

Wish there was some more information

[harvestsun]

Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.

Re:Wish there was some more information

[marcello_dl]

> Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.

It works just like the "Recursive Cortical Network", look it up.

Re:Wish there was some more information

[harvestsun]

Their website references the term in a single marketing bullet point, and there is a 404'd link to an article.

If you are able to find more information (specifically about Vicarious's "new computational paradigm"), by all means share it.

CAPTCHA isn't one system...

[neminem]

This headline makes no sense. CAPTCHA is just a concept, there are hundreds of implementations. I'm sure some of them are crap and only block bots that aren't even trying, some block 100% of bots (and half the humans, too), and most are somewhere in the middle. So what does it mean to "solve CAPTCHA with 90% accuracy?" Does that mean he's tested it on every system out there, and aggregated the results? That would actually be interesting if he has, but more likely he's just tested it on one kinda-crap system that I could probably write a bot in a week to do the same thing.

It does sound like it's built to be more robust, working with more different types of captchas than perhaps many captcha-busting algorithms, but I doubt it's the first of its kind (maybe it uses a new algorithm, but it's still a captcha-buster, that's not new.)

Reverse CAPTCHA

Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.

Re:Reverse CAPTCHA

[IwantToKeepAnon]

Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.

AHCTPAC ... amiright?

Captcha is a security system?

[js3]

Security to who? More like an annoyance

Re:Captcha is a security system?

[slim]

Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

When it's used to discourage spam, well, it's on the edge of the fuzzy area most people understand by "security". It's protecting the availability of a service, against the threat of spam making it unusable.

Re:Captcha is a security system?

[wagnerrp]

When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

Rate limiting protects against brute force password attacks, not CAPTCHAs.

Re:Captcha is a security system?

Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

The difference is that passwords and keyfobs are security measures that are entirely under one's control. You know exactly what your password is and where your keyfob is, or if you can't remember it's your own fault.

Captcha is different, you have to re-type random text that is purposely presented in a manner to induce mistakes. Is it a "t" or an "I" with a bar going across it? Half the time one has to make a guess for the correct answer, and that's what makes them annoying. With passwords and keyfobs no guessing is involved.

Re:Captcha is a security system?

[TheCarp]

If the bot can't fill out the captcha correctly then the captcha ends up being one bitchin rate limit. They get a blazing 0 responses per second!

Re:Captcha is a security system?

[wagnerrp]

If the bot can figure out the captcha correctly even one percent of the time, then it no longer functions as a rate limiter. Without a proper limiter, they just keep retrying with no consequence until they hit something.

Re:Captcha is a security system?

[TsuruchiBrian]

How do you rate limit a botnet?

Re:Captcha is a security system?

[fatphil]

But even *with* a proper limiter (the true scotsman falacy, you didn't get away with it), they still just keep retrying with no consequence until they hit something.

And what else do you call the process of probabilitically limitting the rate at which information-yielding password tests can be performed?

Re:Captcha is a security system?

[TheCarp]

I would have thought so. It also makes me think, maybe you can fuck those guys one better too.
I imagine a system that every 200 failed logins or so saves the password and makes it "valid" for 10 minutes serving up bogus messages that indicate success to anyone using it.

a real user having login trouble is unlikely to ever see it, but a cracker having to hand verify every 200th attempt or so would likely make the task cumbersome.

Re:Captcha is a security system?

[slim]

Both rate-limiting and captchas protect against brute force password attacks.

Whether you need both (or either) is up for discussion, and probably depends on your application.

I believe the results are true

[danielcolchete]

From the video, I think they used mathematical optimization. Multiobjective vectorial optimization if I had to guess. The big breakthrough here is that instead of OCR'ing the image they tried to rerun the captcha construction algorithm controlling the random choices the algorithm makes. Each choice is a variable here. Them you implement a function that measures how close this variables get to the CAPTCHA image. Now you use optimization to get to the global minimum of this function.

At least that is how I would have done it.

Re:I believe the results are true

[Hentes]

Interesting idea. I guess you are right in that given enough time, most captchas could be "bruteforced" with a high accuracy. But that wouldn't be a practical way of braking them.

Semantic capthas?

[davidwr]

[imagine this as a captcha graphic]
Spell last month.

Or this:
[image]
Type the one that flies:
England Turkey Russia

Or this:
[image]
Type the word for
2 + number of days in a week

Or just to confuse things, split the "challenge" into code + html:
[image]
2 + number of days in a week
[html] What is the number above minus 4, as a word: ___

Re:Semantic capthas?

How do you generate these captchas automatically? Otherwise it's too expensive as you are not able to reuse any of them, or the spammers build a database.

Re:Semantic capthas?

[cdrudge]

Spell last month.

l-a-s-t m-o-n-t-h

Type the one that flies:
England Turkey Russia

They can all fly (provided they make it through TSA screening)

Type the word for
2 + number of days in a week

t-h-e w-o-r-d...nevermind. Already used that.

This one would be trivial to beat if they have already solve the distorted image captcha.

2 + number of days in a week
[html] What is the number above minus 4, as a word: ___

negative two (yeah I know, it's two words)

Re:Semantic capthas?

Or this:
[image]
Type the one that flies:
England Turkey Russia

"As God as my witness, I thought turkeys could fly"

Re:Semantic capthas?

[Hentes]

The problem with semantic captchas is that if they can be generated and checked by a machine, they can also be solved by one.

Re:Semantic capthas?

[davidwr]

Type the one that flies:
        England Turkey Russia

They can all fly (provided they make it through TSA screening)

Ever tried getting a country the size of England into checked baggage much less carry-on?

And Russia? Forgettaboutit.

Turkey on the other hand can fly in checked baggage with cat and dog. Or maybe outside plane with Moose and Squirrel but only at low altitude. But I digress.

Re:Semantic capthas?

[Mirar]

I'm afraid you think too highly of the average user.

Then again, if you are running say a forum, you might want to do this kind of tests on the users. ;)

This does not mean advancements in AI

The summary suggests this marks an advancement in AI, but it depends on what AI means. There are generally two areas of AI: 1) artificial "thinking" , and 2) Using advanced algorithms to get things done. Most people think about #1 when you say AI, however solving captcha is just an example of #2. I would argue that #2 really isn't "AI" at all. In fact, all advancements in "AI" are of type #2. Attempts at #1, thus far, have been absolute failures.

Re:This does not mean advancements in AI

[ledow]

99% of everything reported as "AI" is actually just heuristics (advanced algorithms designed - usually by humans but sometime by random "guesses" like genetic algorithms - to achieve a particular task).

That's when whenever I hear about "AI" taking over, I have to laugh. We're still dicking about with the algorithmic equivalent of flapping our arms faster in order to fly.

Re:This does not mean advancements in AI

[mrchaotica]

We haven't even figured out whether #1 and #2 are actually different yet...

Re:This does not mean advancements in AI

[lgw]

Everything that researches in the 1960s called "AI" we now have. I believe it was Minsky who said "AI is whatever computers can't do yet". Human intelligence is just a bunch of heuristics, for the most part: we're not so special.

Re:This does not mean advancements in AI

[Alejux]

Just because something is not a sentient general intelligence or something related to higher thinking, doesn't mean it's not AI. This algorithm works much of the same way we do when trying to identify visual patterns. It uses much more finesse and way less computing power than some of the previous attempts to do the same thing. To say that this is not an advancement in AI is wrong. This whole assumption that the same modules responsible for the higher level thinking needs to responsible for all the other aspects related to vision and other sensory inputs makes no sense. The same way our brain has the somatosensory cortex doing most of the input processing for us, future AI's will have auxiliary systems providing their visual, auditory and haptic processing for them. This is a technology that can and probably will be applied to robots and other autonomous systems in the near future.

Re:This does not mean advancements in AI

[fatphil]

The article says:
"""
Creating machines that can see the world and make sense of images as humans do is one of the â€oehard problems†in artificial intelligence. Breaking CAPTCHA is a milestone on that roadâ€"if Vicarious has pulled it off.
"""

Prior cutting-edge research demonstrated:
OCR on images of text that have had some distortions and noise added.

Their video showed:
OCR on images of text that have had some distortions and noise added.

Not really seeing any new milestones being reached, merely a bit of fine tuning improvements. Even in the restricted problem space of OCRing CAPTCHAs, it's a stretch to say this is much of an advancement.

Re:This does not mean advancements in AI

[TsuruchiBrian]

Why is #2 not "AI"? #2 has been considered AI since the beginning of AI. Are you saying we need to change the name of #2 to something else? Why?

#1 has not been a complete failure because #1 and #2 are related. What is "thinking"? It's true that we aren't close to an artificial intelligence passing the Turing test, but we are getting closer every day.

You could say that every day before 2008 was a complete failure in regards towards quantum computing, and every day afterwards a success. Or you could look at all the little advancements up until the point of the first functional quantum computer as minor successes rather than complete failures.

It all depends on whether your only goal is "create a machine that can pass the Turing test" and everything short of that is a complete failure, or whether "get closer to passing the Turing test" counts as a minor success. We are several orders of magnitude closer to creating AI than we were a century ago. Surely that counts for something even if we are far from complete success.

Wonder what is next...

[mlts]

I sort of hope that the CAPTCHA-busting code is just vapor, and it doesn't get released.

If it does come out and get into widespread use, what will likely result are websites likely going another step up the chain and doing more annoying stuff such as requiring access through Facebook, demanding a phone number for SMS authentication (of course, said number ends up getting sold to robodialers), or more intrusive means.

I see some CAPTCHA replacement schemes like counting how many cat butts are facing a person in a row of six photos and inputting the number, but those seem at best a stopgap measure, and block out access to the site to the blind.

Re:Okay, what's next?

[stewsters]

Obligatory

Re:Years old

Another researcher had a program that solved captchas with better accuracy years ago. He didn't release it "for the common good".

Snort. Captcha isn't a security system, it's an anti-spam system which helps slow down bots. You can achieve the same effect with a simple timer.
Captcha has been busted for years, all you have to do is have your bot grab the captcha image, and present it to a real human on a different site. Porn places are traditionally the most common, you can have an army of people breaking captcha without even realizing they're doing it.

The only thing Captcha has really been doing is making it nearly impossible for colorblind people to access your site.

Solve or spin

[mdsolar]

I wonder if the turning test is: does the subject attempt to solve something too obscure or does in spin for another puzzle. Failing on the poorly made ones instead of rejecting them and going on to the next might show which is a human and which is a machine.

Re:Years old

[jythie]

More likely, link and it still did not happen ^_^

This is great news!

[Biosci777]

Does Download.com have it yet? I need a program like this to help me figure those freaky, wormy wordnumbers out.

How the spam industry solves CAPTCHAS now

[Animats]

If you read Black Hat World, you find that CAPTCHAs are a solved problem for spammers and fake account creators. The better systems run them through several OCR programs in parallel. That knocks off about 67% of them. There's a lot of special casing involved, but from the spammer's viewpoint, this is a solved problem. Getting from 67% to 90% would be convenient, but humans aren't at 90%. If all the OCR programs give up, the problem is sent to an outsourced service where low-wage people solve CAPTCHAs all day.

The Black Hat forum system itself makes users play and win a short video game to lock out 'bots.

In other news...

[Iniamyen]

First reliable text recognition software developed!

Obligatory XKCD

[bigdave42]

http://xkcd.com/810/

A meta-captcha

[TheloniousToady]

If you found the article worthless, you pass. If you found the dancing letters in the video entertaining, you also pass.

Re:Years old

[realityimpaired]

That's happened several times. It's an arms race... the current CAPTCHAs you see where there's 2 images to solve, one of which is essentially OCR and the other is an actual scrambled CAPTCHA, is a direct response to the previous versions being solved.

Sorry, but this is not new news

[Kargan]

Guardian article from 2008 called 'Captcha is broken, now what?', which in turn references a Captcha-breaking algorithm that was created in 2005, "and demonstrated it by posting automated comments to nearly 100 blogs to demonstrate their vulnerability."

http://www.theguardian.com/technology/2008/aug/28/internet.captcha

Alternately...

[tlambert]

Alternately... use the alternative audio and run speech recognition on it to solve the captcha.

No one thinks outside the box any more...

Re:Alternately...

[JWSmythe]

The alt audio I've tried had so much background noise I couldn't figure out what it was saying... Speech recognition would probably do better than me if it applied noise reduction filters first.

Re:Alternately...

[GuB-42]

It has been done many times.
There are countless articles and news on the subject, like this one : http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

Re:Years old

[TsuruchiBrian]

Was it batman?

Re:Years old

[TsuruchiBrian]

If you have 10000 computers trying to hack accounts into 600000 sites, the timers will do nothing. Each computer will make one attempt on each server once every 10 minutes. But the computers as a group will be making 166 attempts per second on each server.

old news by 17 months. crack this

[raymorris]

Most captchas were cracked 17 months ago.
It's time for something that's easier for humans and harder for computers. For example, these images have been tweaked such that the standard routines don't work:

https://bettercgi.com/sb5/

New algorithm to replace CAPTCHA

[AnalogDiehard]

There's a new system on the way called BORE - Back Orifice Recognition Engine. They claim no two are alike. A seat is included with the system.

I thought it was already broken

[zeroryoko1974]

Spammers, and bots seem to have broken it sometime ago, is this something new?

Re:Okay, what's next?

[Akzo]

I don't understand that comic, if users are viewing and being asked to rate the spam posts isn't it mission accomplished for the spammers?

Interesting Problem Actually..

[SuperCharlie]

If you think about it.. what we are asking is... show us something you can do that a computer cant do..through a computer. Mildly mind boggling logic puzzle there.

Re:Years old

[bluefoxlucid]

Back in 2008 this apparently happened many times. I only recalled the one.

Recaptcha already broken

[crossmr]

Recaptcha from google has been broken for awhile. I had it implemented on my site and got about a dozen spam sign-ups a day.

The moment I switched to a local "mycaptcha", which should have been easier to OCR, they stopped dead.

Re:Okay, what's next?

[Anti-Social+Network]

If by "mission accomplished" you mean that the spammer gets his post through - yes. However, it's hard to monetize that success when the requirement for said message getting through is that it's usefully informative or otherwise helpful to the human readers of the forum.

Ultimately, if such a thing happens (I personally foresee anti-CAPTCHA technology evolving into the first proper AI somehow), it will be more of a win for the human users than the spammers. Signal:Noise ratio is the main problem holding back those online communities as far as I can tell. Hell, maybe an artificial spam-intelligence will help us the way targeted advertising was *supposed* to do, and ad moguls still claim it does.

How's this for a new business model: become a useful member of society by providing useful information in accessible places, and then using your new-found credibility to push services that make you money. Sounds a lot like celebrity endorsement, maybe, but perhaps there's a whole market for "computer problem" experts, or "aftermarket automotive modifications" experts, or other niche knowledge bases. Turn your weird passions into cash! OK advertisers, you want a place at the table in whatever form Web 3.0 takes, get on it.