Captchas cracked in under a minute
Sixty-second crack attack
MOST INTERNET USERS have slowly become accustomed to the eye squinting, headache inducing CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) that grace almost every site login nowadays. But it seems that the melty looking letters aren’t causing too much of a problem for the malicious bots they’re supposed to protect against, with some estimates saying that it can take them as little as 60 seconds to crack the code.
Back in February, hackers managed to crack Windows Live Hotmail's CAPTCHA wide open. The incident might have made Google snigger, if it weren’t for the fact that Gmail’s CAPTCHA was cracked just a short while later.
And now, the scaremongerers at Websense Security Labs reckon that bots are getting so good at cracking the CAPTCHAs that they can make out the text and take a stab at it in less than six seconds, which is better than most humans. In a practical sense, this means that bots, who tend to have between a 10-15 per cent success rate for every attempt, are able to open about one email account a minute, per bot. That’s an astounding 1,440 accounts a day, according to Ars Technica.
Once they have opened an account, the fun really starts for the infectious little CAPTCHA crackers. Armed with a gmail or hotmail address, they can spam away to their little bot-heart’s content, luring more and more people into their poisonous web.
Improving the current CAPTCHAS won’t really help the situation much either, as hackers seem to just chew them up and spit them out in next to no time. So what are we to do? Well, apparently techies haven’t yet come up with a workable plan, so until they do, enjoy your daily lottery wins. µ
See Also
Google
captcha captured
Comments
What to do?
Get everyone using "ReCaptcha" then at least these nasty little bots will be doing something useful.How About...
A click the moving object flash animation?pictures?
Easy.A picture with three answers.
picture of a cat. Not an outline drawing, but a full colour real life picture so computers cant take shortcuts.
For a castle you would need to type in three answers.
castle,
mansion
building
windows
door
property
etc etc. so you describe three things, or ways in that pic. Not colours.
Bots Win
"Get everyone using "ReCaptcha" then at least these nasty little bots will be doing something useful."But since the bots fail most of the time, the bots would be tainting the results.
From ReCaptcha's site:
But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.
Using pictures is also pointless because of the limited number of pictures available for use. You can't recycle them, because if you do, the bots will just store them and ask each other if they've seen that picture before, and which answers worked and which didn't.
Each bot could store a few thousand pictures, and could store them as greyscale, or at a lower resolution (as long as they all do the same thing, it won't matter) to save space.
It them becomes an arms race - we will see little duckies and kitties with scrambled noise all over them. The random noise will be added when the sign up page is requested, so the bots can't play the store and match game.
You then have to add your usual "I'm blind, read it out for me" link. And since they're so unreadable, most big sites give you a link to show a new captcha. Bots could just spam that link and store thousands of captchas.
Might as well just have people call a toll free number, key in an ID code shown on the screen, and then type in the response code the bot on the other end reads you. You can even do this with text messaging (so you got your blind and deaf covered).
Any spammers can be more easily traced via phone numbers.
Or, you could just limit account sign ups to 4 per 24 hours per IP, and 10 per month per IP. People with a single IP for a lot of people, or dynamic IPs that actually change, would be redirected to a live chat with a rep, for a true Turing test.
I hate captchas.
Lets just round up all these people and get them to write some optical character recognition software. That crap never works.A picture is worth 1000 words
Is that Door, door, DOOR, DOORS, Doors, doorsnot sure exactly which one you want me to answer with your picture but the current case sensitive ones get me, I give up and use a real e-mail address
uuuueme for the win (I received the same inq pic twice in a row!)
Audio and animation
Everyone has sound these days. Use a sound file with slight distortions of someone (animated voice?) reading a code.If they don't have audio then animated scrolling text with some kind of flashing or effect distorting the text at times
Cracked
Hi, I am a bot.
Re. Pictures
Far from being "easy" this could be less effective than the current method.Yes, in terms of creating a program to read and comprehend the image it would be many times more difficult.
However, the implication is that there would be some database of images, and their related solutions. This creates an obvious finite limit as to the number of possibilities that could be displayed. And what's to stop a caching of all these images, resulting in simple image comparason, as opposed to the more complicated current method, which has a much larger, though still finite number of permutations.
Given a large enough database of pictures you could certainly slow down the automation, but foil it, it would not.
My solution...
setup a "dummy" form field, then hide it from your users with CSS using display: none. Bots don't understand CSS, or at least aren't going to spend time parsing your CSS, so it won't know that your dummy field isn't visible.When you go to process the form, simply discard the ones with the dummy field filled in.
In one word...
Kittenauth.After installing it in my forums I went from 20 spammers a day to one in 6 months.
Well, good
Now that they're being broken this easily by computers, can we get rid of them? Some of them have gotten so silly that it takes me (as a human) five tries to get it.But...
Didn't gmail have the captcha problem pretty much solved with the "only by invitation" thing? No bot-created email accounts 'cause there's nowhere to sign up?Either way, it seems that there would be many other simple (ish) ways to foil these bots. Craig's example, for... uh... instance.
moving animation, noooo!
"A click the moving object flash animation?"Yeah like that's work, i see enough if the "smack the monkey on the head to win one bazillion dollars" animated flash obscenities already that i will just jump with joy seeing another one!
If this were not bought...
Instead of trying to fight against those who want us to do something (buy, read, visit...) why don't we just start to boycott them by not fulfiling their request (don't buy this brand, don't read this article, don't visit this site) and let the ones who are paying the price (those who are not bought, read or visited) fix the problem by stopping their spamming or by sueing the spammers. If this were not bought, then this were not sold...spam filtering
Simple solution, get yourself an anti spam filter that works...The most ironic thing is that I had to enter a captcha to post this LOL.