Researchers Break Video Captcha Security Using Robot Vision
Rather than presenting users with a conventional static but scrambled series of letters and numbers, NuCaptcha's video version offers partially rotating text that also moves from left to right across the screen, in theory making it much harder for computer systems to reliably detect which elements of the image are the correct ones.
This has worked well - until now.
After converting the NuCaptcha videos into individual frames, the background image was removed by the researchers and the remaining letters turned into a black and white image to ease processing.
The team then used algorithms to nominate the most interesting objects in each frame, tracking these across frames as they changed. Next, they refined the number of objects by estimating the likely minimum size of the Captcha, subjecting the remaining ones to an algorithm designed to distinguish rotated letters from 'straight' ones.
Because the researchers had multiple frames for each Captcha they were trying to break - a feature of any Captchas that use video - they ended up with more data from which to do a complex pattern analysis using tools familiar to anyone from the field of machine or robotic vision.
Put another way, using the team's methodology video Captchas were actually be easier to beat than static ones because they offer more data from which to perform an analysis.
The team said its cracking technique worked between 80 percent and almost 100 percent of the time, depending on the analysis algorithms used to isolate Captcha letters from the moving field.
The researchers said they had worked closely with NuCaptcha during its research, which has since offered a technical response to news of the attack on its technology.
"It is with combined efforts of researchers [...] that potential weaknesses are discovered and resolved, prior to them becoming practice by attackers. No single Captcha will defend against every possible attack," NuCaptcha said.
The Stanford team believes that NuCaptcha's video security could still be made to work.
"What we need to do is to remove every discriminative feature that the attacker can use to tell apart decoy moving objects and the real Captchas," the researchers suggest, most easily by introducing visual decoys to reduce the effectiveness of pattern-isolation algorithms. NuCaptcha was working on a new version of its system to do this, the researchers and company confirmed.
Captcha (completely automated public Turing test to tell computers and humans apart) is not seen as the security barrier it was once believed to be, but it remains an important technique for slowing systems that register bogus accounts with webmail providers in order to generate spam.
Constant attacks have caused some to question the underlying effectiveness of the whole technology. Only a fortnight ago, the Cridex banking Trojan was found to be able to break the static Captchas used by Yahoo to secure its webmail services.
However, Internet companies would rather have an imperfect system that beats automated systems some of the time than none at all.