Google's Audio CAPTCHA Falls To Automated Attack 145
SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."
More easier to detect a bot (Score:1, Interesting)
probably borrowing from IVR technology (Score:3, Interesting)
It was bound to happen (Score:3, Interesting)
Right from the start it was clear that audio captchas were theoretically easier to break than visual ones.
An image captcha is designed to require a mixture of perception and thought, but an audio one has to rely on pure perception, because it's temporary. You hear it then it's gone: you can't analyse it. This makes it infinitely less complicated that a video one.
It's only because of low uptake that it's taken so long for a true proof-of-concept attack.
HAL.
Re:Adapt the visual approach (Score:2, Interesting)
captchas are obsolete (Score:2, Interesting)
and for the sight-impaired, how about a read description or definition of something? "this thing is the entrance to a house or a room" => door
come on, webdesigner, it's not that hard to abandon those old and, above all, ANNOYING captchas
Are all audio CAPTCHAs failures? (Score:4, Interesting)
CAPTCHA technology has a long fight ahead (Score:2, Interesting)
This is especially true because the computer doesn't need a 100% success rate to effectively "break" the CAPTCHA. Heck, if the CAPTCHA gives you 3 tries before rejecting you, then a 30% success rate = fully broken.
For right now, they are still working their way through tasks that CAN be easy for computers, but no one has bothered with yet. This means that breaking the CAPTCHA is simply a matter of writing and tuning some algorithms.
I think the next step (but not the be-all/end-all of CAPTCHAs) will be a parallel approach. Give the person 4 visual or auditory CAPTCHAs, and require them to successfully solve 3 out of 4 to pass, preferably with some kind of relational puzzle regarding the answers, or at least a simple question...
EXAMPLE:
A typical obfuscated-word type CAPTCHA in 4-way parallel, the four words are KITTEN PIGLET PUPPY TOASTER, then you are asked, "Which of these is NOT a baby animal?"
Obviously this technique requires either a complete solution from the user (4/4 words correct), or requires the system to reveal the answers, which could lead to an attack based upon a dictionary-building system, which would require a massive database size (and/or a frequently updated database) to prevent.
There is room for some really innovative work in this field, as the battle will probably continue for quite a while, with ever-increasing computational speed making it more difficult.
In the end, it comes down to this:
There is nothing non-biological that every human can do but no computer can do.
Paid humans beat captchas (Score:2, Interesting)
A partial solution is to limit the services you offer based on how well you know them. Anonymous? Offer very limited services.
Anonymous but tied to an existing email address? Offer a bit more.
Authenticated by credit card, which could be stolen? Offer a bit more.
Authenticated by PO box? Offer more.
Authenticated by street address, driver's license number, and a notary? Assume they are legit, you can always sue the notary if they aren't.
Authenticated against an email address that you know has X degree of authentication? Treat them like they have X degree of authentication.
For email, USENET, and IM services, offer a relatively low limit on outgoing data for free services, charge $1/year to a credit card or checking account OR require a copy of a state-issued ID to remove the limit. Watch for multiple free accounts from the same person and give them a collective limit the same as a single free account.
Isnt this a good sign? (Score:1, Interesting)
Am looking forward to the first TRUE bot to post comments here...
Re:Adapt the approach (Score:0, Interesting)
Re:captchas are obsolete (Score:4, Interesting)
Re:It was bound to happen (Score:2, Interesting)
Note that you could make audio captcha require thought. Someone else mentioned asking questions that require specific answers, but that might be difficult to automate: you would need a corpus with thousands of questions that require one-word answers. Perhaps the best way to do that would be to get your hands on a database of crossword puzzles and randomly generate questions like "3 letter word for pet, beginning with 'C'". Exclude words that don't appear in a modestly-sized dictionary, exclude certain obscure words that appear in crosswords way more than normal English (like "adit"--a mine entrance), and make it easy for people to get a new clue if they're having trouble guessing the current one.