Video Captchas are (kinda) easier to defeat than other typesBy Matthew DeCarlo
The Stanford team that developed "deCaptcha" to bypass audio and text versions of NuCaptcha's anti-bot scheme has cracked the video prompts too. In detailed article, security expert Elie Bursztein explains how he and his colleagues defeat video Captchas with a >90% success rate using deCaptcha with other software.
Unlike standard Captchas, video Captchas move – naturally. That animation is supposed to stump bots as they don't know what shifting pixels to process. However, with a little ingenuity, focusing on the relevant text becomes trivial and in some ways, video Captchas are easier to circumvent than static text images, says Bursztein.
Bypassing video Captchas is straightforward: you obtain the video, extract each frame, convert them to black and white so they're simpler to analyze, find the Captcha's text and then decode it. All of this can be automated and the report notes that the early steps can be easily accomplished using commonly available software.
The final recognition stage is easier to accomplish on video Captchas because the animation provides multiple samples of text to analyze, thus increasing the success rate. The trickiest part seems to be choosing the right object to examine. The researchers outlined two methods they've found to discern relevant text from irrelevant.
"First, we look at the bounding box shape ratio width/height. Because the Captcha is four letters long, we use a heuristic that the bounding box must have a width/height ratio of greater than one," wrote Bursztein. Then it's a matter of discarding boxes outside a certain threshold, which can be determined from a couple of Captchas.
"Second, we look at the SIFT interest points density by bounding box. As visible on the screenshot above, the Captcha bounding box contains more interesting points that the other boxes. [This happens because] Captcha letters are rotated independently and therefore have more 'edges/corners' than straight letters," he continued.
It's worth noting that the Stanford team didn't spontaneously railroad NuCaptcha with these findings, having informed the company about the attack last November. The researchers offered suggestions on improving video Captchas, such as adding moving decoys. NuCaptcha's two-page reply can be read here (.docx).