February 22, 2012 report
Stanford research team cracks animated NuCaptcha
(PhysOrg.com) -- The research team from Stanford University, led by Elie Bursztein, that previously had cracked regular CAPTCHAs and then audio CAPTCHAs, now has also successfully cracked the animated version called NuCaptcha. Bursztein details how the team did it and offers suggestions on how to improve them in a post on his blog.
CAPTCHAs, as most are aware, are little boxes with numbers and/or letters displayed in them that users who wish to gain entry to a web site must decipher and type in correctly in order to gain access. They are used as barriers against bots that seek to gain entry for other purposes. Originally it was hoped that CAPTCHAs would prove to be sufficiently strong enough to keep out most any bot; unfortunately, as hackers found more reasons to overcome them (to view a video on YouTube millions of time, for example to pump up ad revenue) more ways were created to do so. To overcome this, security experts came up with audio and video (animated) versions. It didn’t take long for the research team at Stanford to crack the audio version, and now they’ve announced that they have done the same for the video version, though they suggest with a little tweaking, the video version might be made strong enough to ward off most bot attacks.
NuCaptcha differs from regular CAPTCHA in that the letters and/or numbers are made to move across the window box, like a ticker-tape. To make things even more challenging, the letters and/or numbers are also partially rotated as they move.
To crack them, the team created software that takes multiple snapshots of the NuCaptcha image over time which allowed for still image analysis. Once the software believed it had the full message in a frame, the resultant image was turned to black and white and the background removed to make deciphering the code easier. After that, character analysis software was used to break down the individual numbers and letters. Then, all that was left to do was knit them together as typewritten text and enter the whole string into the input box. Bursztein says the process is ninety percent accurate.
He also writes that cracking NuCaptcha was harder in some respects than cracking the original CAPTCHAs due to the moving characters. But he says it was also easier in another way, because in creating multiple frame captures there was more data to work with which allowed for performing multiple guesses against the same coded characters before actually submitting the final guess to the system. He also says that NuCaptcha could likely be made more difficult to crack if more decoys were added to the coded characters, which the makers of NuCaptcha are planning to do.
The team from Stanford didn’t strike out of the blue however, they have been working with the NuCaptcha team for several months so that improvements could be made before hackers got wind of the means by which they could crack the older version.
© 2011 PhysOrg.com