Handcrafted: Researchers at the State University of New York (SUNY), in Buffalo, have developed a CAPTCHA that mimics human handwriting and is distorted in one of several ways, in order to foil spambots.
Achint Oommen Thomas
Can simulated handwriting stop the spambots from getting through?
In the battle to beat the spambots, a new weapon has been developed that exploits the difficulty that computers have with recognizing joined-up handwriting. The hope is that switching from text-based verification systems to systems that use computer-generated handwriting will make many Web services more secure.
Developed by researchers at the State University of New York (SUNY), in Buffalo, the system is a variant of a commonly used challenge-response technique called a CAPTCHA (completely automated public Turing test to tell computers and humans apart). This kind of test is designed to be easy for humans but nearly impossible for machines to pass, to prevent automated programs from automatically generating new accounts for nefarious purposes like sending out spam.
Most CAPTCHAs work by displaying images of randomly generated text that has been distorted to make it difficult for optical character recognition (OCR) programs to read, without making it illegible to humans. To pass the test and gain access, users simply reenter the text that they have read.
The trouble is that OCR software is improving steadily, making it possible for spambots to sometimes pass these tests. "It's an arms race," says Achint Oommen Thomas, one of the computer scientists who developed the new system. "Every CAPTCHA that exists today has already been broken."
Just last year, a character-based CAPTCHA developed by Microsoft and used widely for services like Hotmail, MSN, and Windows Live was broken by Jeff Yan and his colleagues at Newcastle University, in the U.K. Microsoft had previously claimed that the CAPTCHA would only let one in 10,000 machine attempts through, but Yan was able to demonstrate that his attack succeeded 60 percent of the time.
Microsoft has since enacted improvements that have made the service much more secure. Even so, Oommen Thomas believes that automatically generating joined-up handwriting could further raise the bar. His system, developed with colleagues Amalia Rusu and Venu Govindaraju, generates words by selecting characters, all handwritten, from a public database of 20,000. Algorithms are then applied to identify important control points within the characters--the key loops and arches that make the letters and numbers recognizable--before other algorithms distort the characters and link them so that they appear joined up. "We distort them randomly but make sure that they are within set limits; otherwise, they become illegible to humans," says Oommen Thomas.
The once insular superpower is enlisting the help of allies.
Anti-spam schemes that force people to prove they aren't machines won't work.
Guest (jfrank)
That is brilliant! Human and social engineering will beat software every time...
I wonder how long it will be until we see that technique in widespread use?
Even this advance in Captcha can be defeated with improved OCR. I prefer systems where subtle or hidden info must also be conveyed.
A two factor Turing test would defeat more human users. "Hidden" meaning is quite often education and culture specific.
And, software that solves for the first factor, the text itself, would then pass the result off to software to solve the second level. Much work is being done to enable software to extract semantic meaning from text (Autonomy, Nomino, etc.).
Two factor CAPTCHAs also do nothing to defeat the human "will solve CAPTCHAs for porn" crowd.
I'm sorry I can't be more optimistic. It may be that in order to have an anonymous online persona, we must accept systems for centrally creating and tracking the persona's reputation.
Using mental tricks that would probably fool most bots
I know that spammers would probably eventually find a way around these, too, but what if a CAPTCHA used a sort of CAPTCHA image to ask a user to solve a very simple question.
Like "what are the 3rd and 5th characters in the image below?", or something like that. Where the question is in a fairly simple to read CAPTCHA and the image to select the characters from, are perhaps a bit harder to read. This might actually be easier for most humans and harder for bots.
Another thought is to use the human mind's propensity to assume what a word is based on the first and last characters and the number of characters in between. What I mean is this. Msot popele wlil be albe to raed smeotinhg qitue esiely eevn wehn the carhatecrs are jbmlued up. This could either be used to ask the question, or perhaps the CAPTCHA could make sure the first and last letters of a word are fairly easy to read and really make the inside letters much more difficult to read. Close enough is likely to help most people figure out the word, but it would be more difficult for a bot.
User-friendly CAPTCHA alternative
The tests used to tell humans from bots have to be easy on users (from all walks of life) and effective against computer programs to really address the SPAM bot problem. The "hand-writing style" CAPTCHA examples in this article make me wince... I'm unsure I would solve ANY of those and would leave the site without registering for their service, posting a comment etc - annoyed... Pardon the plug, but there is a more effective way. http://demo.vidoop.com/captcha/ Feedback is invited.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Nostromo
4 Comments
CAPTCHA, the lost strategy
The same algorithm breaks all CAPTCHAs. Here it is:
1. Set up an "adult" site with lots of porn
2. Let anyone into it provided they solve a CAPTCHA
copied from the website your bot wants to break into.
Why bother with expensive, complicated pattern-recognition software when human labor is free?
Reply