Video CAPTCHAs have been touted by its developer, NuCaptcha, as the best and most secure method of spotting bots trying to pass themselves off as human users.
Unfortunately for the company, researchers Elie Bursztein, Matthieu Martin, Shang Ping, Jonathan Aigrain, Mike Bailey and John Mitchell have managed to prove that over 90 percent of the company's video CAPTCHAs can be decoded by using their Decaptcha software in conjunction with optical flow algorithms created by researchers in the computer vision field of study.
Elie Bursztein shared their results and quite a few details about the research a blog post on Friday, saying that while discussing ongoing research is unorthodox in the security community, the numerous interactions he has had with various companies over the last 3 years made him realize many people rely on research results to design CAPTCHAs.
"In this context, it is our duty to provide them the best and most secure design guidelines possible," he commented. "I strongly believe in the example set by the cryptography community, that the best security is achieved through an open process and not with secrecy or isolation."
The post was also published months after they shared their search results with NuCaptcha, whom they advised on how to strengthen the technology.
"Our fix is based on a new design principle called tracking resistance," shared Bursztein. "Intuitively tracking resistance means you had object that have the same properties than the real CAPTCHA so the algorithm don’t know which object in the video he should track. When successfully implemented, tracking resistance makes video CAPTCHA secure against vision/machine learning attacks and more secure than standard text-based CAPTCHAs."
In short, they say that in order for video CAPTCHAs to be more secure, NuCaptcha needs to remove every feature that allows attackers to tell apart decoy moving objects and the real CAPTCHAs.
With the help of the researchers, NuCaptcha has worked on a fix for the problem, which includes heavier distortions and more crowded letters. They also mean to add inter-frame manipulation (video CAPTCHAs contain about 500 frames) in order to prevent the optical flow analysis.
Bursztein remains skeptical about this last solution, but said they will reserve their judgment until after they have a chance to test the new, improved CAPTCHAs.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.