CAPTCHA Is Dead. Long Live CAPTCHA!

CAPTCHA has been broken many times before. Yet even an effective new method of cracking it will do nothing to dampen CAPTCHA’s popularity, says Tom Brewster

These ears have heard some bold claims coming from newbies in the security community recently. Just last week, a new service called Biocryptology launched, saying it could eliminate identity fraud, with some unbreakable biometric technology. Its chairman even claimed it was the Internet form of a cure for cancer. Such bombast only leads to suspicion that something is not quite right.

And today, I hear from artificial intelligence startup Vicarious that CAPTCHA, a Turing test designed to tell if a user is human or a bot, is officially broken. Its algorithms, inspired by the human brain, have achieved a success rates up to 90 percent on modern CAPTCHAs. That means when confronted by those weird-shaped letters and numbers, Vicarious’ system can correctly identify them nine out of ten times.

CAPTCHABreaking CAPTCHA

This impressive feat, the first example of the young company’s Recursive Cortical Network (RCN) technology, means that protections used by Google, PayPal, Yahoo and many others are “no longer effective” Turing tests, according to Vicarious.

“Vicarious has a long-term strategy for developing human level artificial intelligence, and it starts with building a brain-like vision system. Modern CAPTCHAs provide a snapshot of the challenges of visual perception, and solving those in a general way required us to understand how the brain does it,” said Vicarious co-founder Dr Dileep George.

Annoyingly, the company isn’t going public with how its technology breaks CAPTCHA and reCAPTCHA, which requires the user to look at two sets of letter and digits. That in itself provides us with enough reason to remain calm about the potential for bot armies to flood popular Internet services.

But, as has been proven many times, CAPTCHA can be bypassed in a number of ways. You can even find a big list of them here.

Malware types continue to add CAPTCHA-cracking capabilities, the efficiency of which continue to improve. In some cases, CAPTCHA images have been sent back to crooks sitting on the command and control end to be quickly dealt with, as seen in some Android malware last year. A banking Trojan, Cridex, was also spotted in 2012 using a CAPTCHA-breaking server as its spamming module sought to create email accounts.

Despite all this, CAPTCHA remains hugely popular. According to Google, “about 200 million CAPTCHAs are solved by humans around the world every day”. “CAPTCHA is still an effective method to quickly validate that a human is the one conducting the transaction,” Carl Leonard, security research manager at Websense, tells me.

“Until abuse of automated CAPTCHA algorithms is prevalent I don’t think we have seen the end of text-based CAPTCHA just yet.”

And let’s not forget that innovation has been ongoing with CAPTCHA, even if it is still flawed.  Some implementations rely on images rather than text, asking the user to describe whatever content appears in front of them. Perhaps Vicarious’ announcement will spur on acceptance of that method.

But don’t be surprised if little changes and you’re still pestered by CAPTCHA when the web services you use get suspicious. CAPTCHA has a long, long life ahead of it.

 How well do you know Internet security? Try our quiz!