• On TechRepublic: 10 cool USB flash drive tricks
March 25, 2009 1:49 PM PDT

3D-based Captchas become reality

by Dong Ngo

The newly implemented Captcha method that's based on 3D images.

(Credit: Dong Ngo/CNET)

I wrote a blog about a new way of creating Captchas by using 3D images that Taylor Hayward, a blogger, came up with and thought it would be really cool when implemented. Now, 3D Captchas seem to have become a reality--however, not from Hayward.

Incidentally, the folks at YUNiTi.com, a social Web site, have been working on the same idea for a few weeks and have implemented the method on their Web site.

The site announced Wednesday that it has created a 3D Captcha method that is unbreakable by current computer technology, yet much easier for humans to identify.

Captchas is short for Completely Automated Public Turing tests to tell Computers and Humans Apart. This is a way to make sure the input is not generated by a computer.

Similar to Hayward's idea, this new technology relies on our ability to identify objects in 3D instead of using alphanumeric characters. YUNiti's 3D Captcha, however, has three objects in the challenge and extends the list of images to any object, not limiting it to animals as in Hayward's idea. This increases the challenge's level of complication to prevent computers from successfully making the correct guesses.

I tried a new Captcha at the Web site and it worked very well. You just need to click on the placeholders for each object, then you are presented with a list of objects to choose from. After four mouse clicks, I passed the Captcha the very first time.

Marcos Boyington, co-founder and primary software engineer of YUNiTi.com, told CNET News that he and his brother came up with the idea without knowing of Taylor Hayward's method. Boyington believes this was joint discovery of the same concept by people in different parts of the world. He said he is seeking contact with Hayward to talk about collaboration opportunities.

You can try the new Captcha by visiting YUNiTi.com.

Dong Ngo is a CNET editor who covers networking and network storage, and writes about anything else he finds interesting. You can also listen to his podcast at insidecnetlabs.cnet.com. E-mail Dong.
Topics:

Security,

Gadget news

Tags:

Captcha,

Taylor Hayward,

3D image,

chellenge; YUNiTi

Share:
Digg
Del.icio.us
Reddit
Recent posts from Crave
Beamer, the iPhone case for night owls
This week in Crave: Day of the Droid edition
Verizon's LG Chocolate Touch is nice but nothing new
Popular iPhone movie app flops on BlackBerry
Top 5 most popular products for November
Ridiculous new Peeks inspired by TwitterPeek
Hands-on with the Nokia Booklet 3G
Battle of the international power plugs
Add a Comment (Log in or register) (31 Comments)
  • prev
  • 1
  • next
by DoesWhat March 25, 2009 2:00 PM PDT
The spam bot has a 1 in 9 chance of getting it right compared to a text captcha where the bot has almost no chance of guessing, even with an advanced OCR. I like the idea of advancing captcha and there is probably something is 3D. But this is just matching pictures. The 3D in this example has no relevance.
Reply to this comment
by DoesWhat March 25, 2009 2:03 PM PDT
Apologies, something more like a 1/5832 chance.
by rikkles March 25, 2009 2:31 PM PDT
This is very bad. Using a simple wavelet matching algorithm, the spam bot can easily guess what those pictures are. The picts need to have very hard to find image edges. The 3D images need to be within a complex scene, not a black background.
Reply to this comment
by marquinhocb March 25, 2009 3:04 PM PDT
Rickles: Please send us this supposed wavelet matching algorithm, we'd love to see it in action. As far as we're concerned, this captcha is impossible to crack. If we're wrong, we'd love to see a real-world example of it being cracked.
by Hunnter2k3 March 25, 2009 3:49 PM PDT
If the images were generated with different shading models each time (and maybe even textures?), it would solve this problem instantly.
The Order and 9x9 grid are already rendered differently as it is, so that is 2 separate patterns it would have to match, and pattern matching for complex objects is in it's infancy.

On the complex scene part, even if it were, would it matter?
Not really, the bot could still detect the object due to the colour.
As i mentioned above, unless complex textures are used, there is no point to make a complex background.

The whole reason i went off Myspace was their stupidly long captchas.
Hopefully this will take off more, visual and clickable captchas are much more pleasing than having to type out things, nobody likes typing. (heh)
But on a serious note, since handhelds with touchscreens are becoming more popular, it would make sense to evolve to clickable captchas.
by Hunnter2k3 March 25, 2009 4:09 PM PDT
Sorry, not 9x9 grid, i never realized there were more images displayed.

Also, Chrome (1.x) can't display the Order image, it displays the other images fine.
I'm not sure it likes &.png.
Not sure if that is meant to be the correct behaviour or not, but i will file a report on for it on the group.
by Hunnter2k3 March 25, 2009 4:11 PM PDT
Bah, sorry for triple posting, but it appears to not work on any browser i have tried... (FF2, Arora, Chrome 1.x and 0.x)
by marquinhocb March 25, 2009 7:33 PM PDT
Sorry about that Hunter2k3, our servers were under heavier load than we were expecting, we've upped the processing cycles for 3D renderings so that this doesn't happen again. Give it a shot now!
by marquinhocb March 25, 2009 7:38 PM PDT
Regarding your comment on texturing: that's precise, more layers of complication could be added to the scheme to make it, in essence, impossible to crack with current computing power.

The first of these would be to, say, have 4 boxes to fill instead of 3. That increases the probability of a correct guess to 1/104,000. Next would be to have more than 18 objects (although the user would always be given a "palette" of 18 objects to pick from, otherwise it would take too long to scan the objects). There would be, say, 100 objects, and the user would get 18 randomly picked objects to choose from (out of the 100).

Lastly, textures could be added to objects to make them even more difficult to recognize by software.

But the point here is, even with simple, basic greyscale objects like our captchas, it's still far more complex to crack than letter captchas. Being an experienced software engineer, if I had to pick the task of cracking recaptcha or cracking this new 3d-image based captcha, I'd take the former. Recognizing 2D letters is a lot simpler than making out objects from 3space which have been projected onto 2D.
by haggais April 7, 2009 1:51 PM PDT
marquinhocb: "Impossible to crack" sounds like you might be overstating the case ever so slightly...

First off, CAPTCHAs are inherently crackable by cheap human labour, which you can't make unprofitable without making the CAPTCHAs an unreasonable burden for legitimate users. This is not a flaw in this particular system, of course.

As regards this particular CAPTCHA scheme, if you solve it (even manually) for a few dozen, or at most a few hundred rotated views of each object, you're pretty much done, as small rotations (e.g. 10 degrees) of the 3D objects are quite close to simple 2D transformations. Since there only seem to be a few tens of objects from which the puzzles are selected, that's a small enough task to get started, and a library of easily recognisable 3D objects is unlikely to run to millions, or even to tens of thousands.

I have a few more details up at http://technobabblepro.blogspot.com/2009/04/how-theyll-break-3d-captcha.html and an earlier post there.
by karpenterskids March 25, 2009 2:46 PM PDT
Taylor's 3-D images were a lot nicer...but either way, 3-D still beats a regular (especially long) captcha anyday. :]
Reply to this comment
by myles taylor March 25, 2009 2:57 PM PDT
They've been using 3D Captchas on Runescape for ages now. The bots still find ways around them. There are no foolproof systems, at least not yet. I'm sure this is promising though. The money is behind the creation of bots though.
Reply to this comment
by Pete Bardo March 25, 2009 3:09 PM PDT
By 3D I assumed you meant three dimensional. I only see 2 dimensions in the images, unless your counting the shading as a dimension. Sure the images show different views of the same object, but what's 3D about it?
Reply to this comment
by c|net Reader March 27, 2009 9:29 AM PDT
The image to match and the matching image are distinct 2D projections of a 3D object.
by hummingkris March 25, 2009 3:59 PM PDT
We at hummingbytes have SMS / VOICE Catchas. A SMS / VOICE Captcha will send a Alphanumeric code as a TEXT message or call you on your call and read out the alphanumeric code, which can then be entered on the website to ensure you are a human and not a bot.

This link will take you to a page that demonstrates the SMS / VOICE Captcha.
http://www.hummingbytes.com/demos.aspx?PRODUCT=WebSecurity
Reply to this comment
by marquinhocb March 25, 2009 7:40 PM PDT
What's to stop a hacker from plugging in their cellphone to their computer and having a script that checks SMS's for an alphanumeric code? This is even easier to hack than a classic alphanumeric captcha. If you're going to spam a product, at least make sure it's a good one!
by Dalkorian March 26, 2009 12:52 PM PDT
Nice, so if I don't have a cell phone I'm not welcome on your website?
by c|net Reader March 27, 2009 9:30 AM PDT
What about those that don't use SMS and don't wish to pay for it?
by hummingbytes April 21, 2009 12:04 PM PDT
marquinhocb what are you even talking about ?

I am not sure if you understood what we do OR I am not understanding your reasoning.

If a SMS is being sent to a phone number, which you need to read and then enter in a website to get access, how does a hacker connect their phone to the computer and use a script to hack in ?
by hummingbytes April 21, 2009 12:05 PM PDT
Dalkorian, if you do not have a cell phone, then you can always use a land line and use the VOICE part of captcha to get in.
by hummingbytes April 21, 2009 12:06 PM PDT
c|net Reader, if you do not want to pay for the incoming SMS, then you can always use the VOICE part of captcha to get access. There is a provision to use Email also if you do not have a cell phone / landline.
by afhill March 25, 2009 8:50 PM PDT
Michael Kaplan posted about 3D CAPTCHAs in 2005, and his description thereof states "Patent pending". It would be interested to know what about 3D CAPTCHAs specifically he's hoping to patent...

http://spamfizzle.com/CAPTCHA.aspx
Reply to this comment
by codynews March 26, 2009 6:50 AM PDT
geeze, is this really necessary? I'm tired of all this "captcha" crap already. Some of them are very hard for humans to get right.

Make them simple. If someone can 'crack' them and spam is it really the end of the world? You still stop 99.99% by just using *something*
Reply to this comment
by Eludium-Q36 March 26, 2009 9:39 AM PDT
Agreed, this has gotten ridiculous, these captcha images are far more trouble than they're worth.
by marquinhocb March 26, 2009 2:16 PM PDT
I agree with you codynews - though you have to admit, clicking 3 types on easily identifiable objects is a lot simpler than trying to make out some of these new captchas (recaptcha included)!

I figure if you're going to make it more difficult for a human to use your site than a script, why even bother. The idea of this 3D captcha is to make it pathetically simple for us, and insanely difficult for scripts.
by c|net Reader March 27, 2009 9:33 AM PDT
I prefer not having to skip past all of the spam. More than a little seriously reduces the value of a forum.

This scheme requires too many clicks and must have a bypass for the blind and others with disabilities. That bypass mechanism will probably be weaker and is the more likely attack vector. Thus, I'm not sure 3D CAPTCHAs are any better.
by knowles2 March 26, 2009 7:40 AM PDT
Cool technology and cool idea. Better than type letters.
Not sure how long it will take to come up with a method of getting computers to learn how to do it, I am sure not as long as people think it will take or required as much processing as people think.
Reply to this comment
by rjonesx March 27, 2009 9:14 PM PDT
Unfortunately this suffers from the same issue of all CAPTCHAs... Simply find a resource out there willing to fill out CAPTCHAs (such as people who think they are filling out CAPTCHAs to get into 1 site, when in reality their answers are being used to crack another)
Reply to this comment
by MechScape_Ren March 28, 2009 2:10 AM PDT
RuneScape has had 3D Captchas for ages now.
Reply to this comment
by FrankTangoAlpha April 3, 2009 3:41 PM PDT
The is a better picture captcha here:

http://www.CaptchaTheDog.com/contact.html

The images rotating with a random number of images makes odds better than 50,000 to 1
Reply to this comment
by alexschrod April 8, 2009 9:54 PM PDT
How does this work for the blind or visually impaired? At least some text CAPTCHAs, like reCAPTCHA, also provide an auditory alternative.
Reply to this comment
(31 Comments)
  • prev
  • 1
  • next
advertisement

About Crave

The name says it all. Crave is our blog about gorgeous gadgets and other crushworthy stuff. If you would like to contact Crave with a tip or comment, please write to: crave@cnet.com

Add this feed to your online news reader

Crave topics

FAQ: Buying the right Windows 7 upgrade

Readers still have lots of questions on just which version of the software they need to buy in order to upgrade their PC. CNET News tries to offer some answers.

N.Y. lawsuit details Intel's 'largesse' toward Dell

Attorney General Andrew Cuomo's federal antitrust case filed Wednesday alleges a longstanding symbiotic relationship between Intel and Dell.

News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET