Slashdot Mirror

← Back to Stories (view on slashdot.org)

CAPTCHA Busted? Company Claims To Have Broken Protection System

Posted by samzenpus on from the spell-this dept.

sciencehabit writes "A software company called Vicarious claims to have created a computer algorithm that can solve CAPTCHA with greater than 90% accuracy. If true, the advance would represent a major breakthrough in artificial intelligence. It would also mean that the internet will have to start looking for a new security system. The problem, however, is that Vicarious has provided little evidence for its claims, though some well-known scientists are behind the work."

37 of 141 comments (clear)

  1. 90% by WillgasM · · Score: 5, Insightful

    That's better than my success rate

    1. Re:90% by hobarrera · · Score: 5, Funny

      And that's their undoing.
      Show the user 10 captchas:
      If none match -> It's an old bot
      If some match -> It's human
      It over 90% match -> It's this new algorithm.

      There, solved!

    2. Re:90% by nospam007 · · Score: 5, Insightful

      "That's better than my success rate"

      Same here, but some overdo it with the use. My phone company uses it on the payment page where you have to enter the invoice number and credit card.

      Are they afraid some bot would pay my bills?

    3. Re:90% by kav2k · · Score: 4, Insightful

      More like: if solving is not attempted, it's human.

    4. Re:90% by heypete · · Score: 5, Interesting

      They probably are worried about bad guys using the payment system in an attempt to verify stolen credit cards by making seemingly-routine purchases that would not seem out of the ordinary and thus would not trip anti-fraud measures.

      A small company I used to work for was abused by credit card thieves in this way, and dealing with the fraudulent charges and the resulting chargeback fees was the top non-salary cost for a few months (exceeding even the colocation costs). The problem existed because they allowed users to create either a free or paid account for the service and, if they selected the paid account, they could enter the card information on the sign-up page. Later, they changed it so users would need to create a free account (which required a captcha) and then upgrade it to a paid account in the account settings. Fraudulent charges dropped to essentially nil after that.

      If the phone company requires only the invoice number and credit card data to pay a bill (rather than having you create an account, log in, and then pay the bill) then it's likely they're dealing with a similar problem.

    5. Re:90% by Anonymous Coward · · Score: 2, Interesting

      They may have had an issue with people scripting that form to test credit card numbers.

      Online payment forms without a limit to the number of tries or a captcha are often used to test a list of CCs to filter out ones that have already been cancelled, reported stolen, were never good to begin with, etc.

    6. Re:90% by jythie · · Score: 5, Funny

      And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

  2. In other news... by Cyfun · · Score: 5, Funny

    I cured cancer, stopped global warming, and found the last missing episodes of Doctor Who.

    Just take my word for it.

    --
    In Soviet Russia, dot slashes YOU!
    1. Re: In other news... by jd2112 · · Score: 4, Funny

      I'll take your word for most of those but I need video proof of the lost Dr .Who episodes.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
    2. Re:In other news... by chill · · Score: 2

      Haven't you ever lost anything? Your purse, your car keys? Well, its rather like that. Now you have it, now you don't.

      Sean Connery talking about the cure for cancer in the 1992 flick Medicine Man.

      http://www.youtube.com/watch?v=gOQOpuD2b3M

      --
      Learning HOW to think is more important than learning WHAT to think.
  3. Better than humans by Manfre · · Score: 5, Funny

    I wish I could get CAPTCHAs right 90% of the time.

    1. Re:Better than humans by meerling · · Score: 5, Insightful

      Agreed. Heck, even those spammers that for years have been collecting databases of solved captchas for their bots do much better at those damn things than I do.
      And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page! Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

    2. Re:Better than humans by doublebackslash · · Score: 3, Informative

      That is really lazy work on the programmers part. It is trivial to use AJAX to submit the form and selectively wipe the captcha field whist refreshing the captcha. Thats what I do when we require a captcha for one reason or another.

      --
      md5sum /boot/vmlinuz
      d41d8cd98f00b204e9800998ecf8427e /boot/vmlinuz
    3. Re:Better than humans by alexgieg · · Score: 3, Interesting

      And what really pisses me off is when you get a captcha wrong, either through incorrect entry or because it's decided you took to long, and the damn thing wipes out all the fields forcing you to redo the entire page!

      If there's a button to refresh the captcha I click it once to see what happens. If it reloads only the captcha then I take my time filling the form and when I'm finished click it once again, fill the captcha and submit. If however clicking the captcha reload button reloads the entire page, then notepad, reload page, copy-paste, submit it is.

      These two "algorithms" have allowed me to experience much less pain and frustration than I otherwise would have had.

      --
      Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
    4. Re:Better than humans by Savage-Rabbit · · Score: 2

      Those sites I truly despise I hope their programmers/scripters get a horrible infestation of something nasty.

      Just mail them a bootlegged Windows 8 DVD.

      --
      Only to idiots, are orders laws.
      -- Henning von Tresckow
  4. New security system ? by Lennie · · Score: 5, Insightful

    I'm sorry, but I don't consider CAPTCHA a security system.

    I would say it's an anti-spam system.

    --
    New things are always on the horizon
    1. Re:New security system ? by wagnerrp · · Score: 2

      No it doesn't. Putting rate limiters and account lockouts in place limits the frequency in which information can be submitted for authentication. All a CAPTCHA does is increase the cost of a brute force attack.

  5. I broke it a long time ago by key45 · · Score: 3, Insightful

    I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

    1. Re:I broke it a long time ago by Registered+Coward+v2 · · Score: 2

      I just re-serve the CAPTCHAs on my own popular website. Crowdsourcing for the win.

      That's the real problem with captchas. As long as you can hire people real cheap to brute force them how well a computer can do that is really just an interesting computational feat. I can create a test that says "Answer this: 1+3=" with instructions above it that say to answer with the name at the top of the blog; while a machine may be fooled a person who is served the entire web page can just as easily defeat that. If the gain from defeating a captcha is big enough someone will pay to brute force them.

      to make a real world analogy, we use shredders to destroy documents. However, if you can throw enough people together in a room over time the can recreate the document in many cases. It's only a question is the effort worth the outcome.

      --
      I'm a consultant - I convert gibberish into cash-flow.
  6. CAPTCHA isn't one system... by neminem · · Score: 4, Insightful

    This headline makes no sense. CAPTCHA is just a concept, there are hundreds of implementations. I'm sure some of them are crap and only block bots that aren't even trying, some block 100% of bots (and half the humans, too), and most are somewhere in the middle. So what does it mean to "solve CAPTCHA with 90% accuracy?" Does that mean he's tested it on every system out there, and aggregated the results? That would actually be interesting if he has, but more likely he's just tested it on one kinda-crap system that I could probably write a bot in a week to do the same thing.

    It does sound like it's built to be more robust, working with more different types of captchas than perhaps many captcha-busting algorithms, but I doubt it's the first of its kind (maybe it uses a new algorithm, but it's still a captcha-buster, that's not new.)

  7. Reverse CAPTCHA by Anonymous Coward · · Score: 3, Funny

    Time for the reverse CAPTCHA. If you can guess it correctly, you must be a bot.

  8. I believe the results are true by danielcolchete · · Score: 2

    From the video, I think they used mathematical optimization. Multiobjective vectorial optimization if I had to guess. The big breakthrough here is that instead of OCR'ing the image they tried to rerun the captcha construction algorithm controlling the random choices the algorithm makes. Each choice is a variable here. Them you implement a function that measures how close this variables get to the CAPTCHA image. Now you use optimization to get to the global minimum of this function.

    At least that is how I would have done it.

  9. Re:Captcha is a security system? by slim · · Score: 4, Interesting

    Security is often annoying. Entering passwords is annoying. Getting RSA keyfobs out of your pocket is annoying.

    When it's used to protect against brute force password attacks, a captcha is definitely a security mechanism.

    When it's used to discourage spam, well, it's on the edge of the fuzzy area most people understand by "security". It's protecting the availability of a service, against the threat of spam making it unusable.

  10. Semantic capthas? by davidwr · · Score: 4, Interesting

    [imagine this as a captcha graphic]
    Spell last month.

    Or this:
    [image]
    Type the one that flies:
    England Turkey Russia

    Or this:
    [image]
    Type the word for
    2 + number of days in a week

    Or just to confuse things, split the "challenge" into code + html:
    [image]
    2 + number of days in a week
    [html] What is the number above minus 4, as a word: ___

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Semantic capthas? by Anonymous Coward · · Score: 2, Insightful

      How do you generate these captchas automatically? Otherwise it's too expensive as you are not able to reuse any of them, or the spammers build a database.

    2. Re:Semantic capthas? by cdrudge · · Score: 2

      Spell last month.

      l-a-s-t m-o-n-t-h

      Type the one that flies:
      England Turkey Russia

      They can all fly (provided they make it through TSA screening)

      Type the word for
      2 + number of days in a week

      t-h-e w-o-r-d...nevermind. Already used that.

      This one would be trivial to beat if they have already solve the distorted image captcha.

      2 + number of days in a week
      [html] What is the number above minus 4, as a word: ___

      negative two (yeah I know, it's two words)

    3. Re:Semantic capthas? by Anonymous Coward · · Score: 4, Funny

      Or this:
      [image]
      Type the one that flies:
      England Turkey Russia

      "As God as my witness, I thought turkeys could fly"

  11. This does not mean advancements in AI by Anonymous Coward · · Score: 3, Insightful

    The summary suggests this marks an advancement in AI, but it depends on what AI means. There are generally two areas of AI: 1) artificial "thinking" , and 2) Using advanced algorithms to get things done. Most people think about #1 when you say AI, however solving captcha is just an example of #2. I would argue that #2 really isn't "AI" at all. In fact, all advancements in "AI" are of type #2. Attempts at #1, thus far, have been absolute failures.

    1. Re:This does not mean advancements in AI by mrchaotica · · Score: 2

      We haven't even figured out whether #1 and #2 are actually different yet...

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    2. Re:This does not mean advancements in AI by Alejux · · Score: 2

      Just because something is not a sentient general intelligence or something related to higher thinking, doesn't mean it's not AI. This algorithm works much of the same way we do when trying to identify visual patterns. It uses much more finesse and way less computing power than some of the previous attempts to do the same thing. To say that this is not an advancement in AI is wrong. This whole assumption that the same modules responsible for the higher level thinking needs to responsible for all the other aspects related to vision and other sensory inputs makes no sense. The same way our brain has the somatosensory cortex doing most of the input processing for us, future AI's will have auxiliary systems providing their visual, auditory and haptic processing for them. This is a technology that can and probably will be applied to robots and other autonomous systems in the near future.

  12. Wonder what is next... by mlts · · Score: 2

    I sort of hope that the CAPTCHA-busting code is just vapor, and it doesn't get released.

    If it does come out and get into widespread use, what will likely result are websites likely going another step up the chain and doing more annoying stuff such as requiring access through Facebook, demanding a phone number for SMS authentication (of course, said number ends up getting sold to robodialers), or more intrusive means.

    I see some CAPTCHA replacement schemes like counting how many cat butts are facing a person in a row of six photos and inputting the number, but those seem at best a stopgap measure, and block out access to the site to the blind.

  13. Re:Okay, what's next? by stewsters · · Score: 2, Interesting

    Obligatory

  14. Re:Wish there was some more information by marcello_dl · · Score: 4, Funny

    > Although "Recursive Cortical Network" sounds really cool, it would be nice to, you know, learn a bit about how it WORKS.

    It works just like the "Recursive Cortical Network", look it up.

    --
    ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  15. How the spam industry solves CAPTCHAS now by Animats · · Score: 2

    If you read Black Hat World, you find that CAPTCHAs are a solved problem for spammers and fake account creators. The better systems run them through several OCR programs in parallel. That knocks off about 67% of them. There's a lot of special casing involved, but from the spammer's viewpoint, this is a solved problem. Getting from 67% to 90% would be convenient, but humans aren't at 90%. If all the OCR programs give up, the problem is sent to an outsourced service where low-wage people solve CAPTCHAs all day.

    The Black Hat forum system itself makes users play and win a short video game to lock out 'bots.

  16. In other news... by Iniamyen · · Score: 2

    First reliable text recognition software developed!

  17. Obligatory XKCD by bigdave42 · · Score: 2

    http://xkcd.com/810/

  18. Alternately... by tlambert · · Score: 2

    Alternately... use the alternative audio and run speech recognition on it to solve the captcha.

    No one thinks outside the box any more...