Researchers at the Stanford Security Lab announced last week that they have developed a means of consistently cracking NuCaptcha’s video Captcha identity verification system.
Video Captcha streams display slightly distorted letters in motion, which website programmers can then embed and ask users to type out while visiting a site to prove that the user is a human and not an automated program, or ‘bot.’ The researchers were able to devise a method by which a bot — also frequently used to create automated email accounts for spamming — successfully passed the Captcha security test for over 90 percent of challenges faced.
“How fun would it be to interact with [a] robot on Twitter or Facebook?” former Security Lab researcher Elie Bursztein wrote in an email to The Daily. Bursztein was a post-doctoral research fellow in the lab while the video Captcha research took place.
The Security Lab team used a combination of motion tracking, image analysis and machine-learning algorithms to crack the video Captcha system. According to a blog post that Bursztein wrote chronicling the team’s efforts, motion tracking allowed the team to isolate frames of the video Captcha in order to track and analyze the words displayed.
Image analysis was used to determine which objects in the frame were the most interesting, focusing on objects that fit the expected width-height ratio for Captcha text and displayed more edges or corners than other objects in the frame (due to the Captcha letters’ independent rotation). The objects were then cross-referenced with other interesting objects across numerous frames, leaving the computer with many different iterations of the same Captcha.
The letters in the Captcha can be deciphered in one of three ways: by trivial separation if a frame exists with no crossover, by a computerized “voting decision” to determine the most probable set of letters or by using motion tracking to analyze which points on the Captcha object move together through separate frames, which can then be mapped out into the individual letters.
Matthieu Martin, a researcher at the Security Lab, wrote in an email to The Daily that he added video elements into Decaptcha, the software that the lab had previously used to break simple image and audio Captchas, in order to crack video Captchas.
In his blog post, Bursztein emphasized that cracking a video Captcha was more difficult than crackinga simple image Captcha due to the incorporation of motion tracking. He noted, however, that — once the motion tracking was in place — the program’s accuracy was higher due to being able to reference multiple iterations of the same Captcha.
“No single Captcha will defend against every possible attack,” NuCaptcha, the software development company that created both the simple image Captcha and the video Captcha authentication systems, wrote in a statement responding to the research team’s blog post. “Our strategy is to develop a collection of responses and, as appropriate, to deploy them to individual users instead of presenting a single rigid defense.”
In the statement, NuCaptcha said that the research had suggested ways of improving Captcha systems, including altering the appearance of each letter in adjacent frames of the Captcha and varying the length of a code string that lies behind the Captcha’s appearance in the video stream. The Stanford team offered their research to NuCaptcha several weeks in advance of public disclosure.
“In my opinion…their biggest flaw was to use the same kind of protection image Captchas use (lines, distortion, etc.),” Martin wrote. “They should concentrate on video based protections, but I’m pretty sure [Burzstein] had this discussion with Nucaptcha’s team already.”